AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company's containerized application runs on an Amazon EC2 instance. The application needs to download security certificates before it can communicate with other business applications. The company wants a highly secure solution to encrypt and decrypt the certificates in near real time. The solution also needs to store data in highly available storage after the data is encrypted.

Which solution will meet these requirements with the LEAST operational overhead?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Create AWS Secrets Manager secrets for encrypted certificates. Manually update the certificates as needed. Control access to the data by using fine-grained IAM access.

Create an AWS Lambda function that uses the Python cryptography library to receive and perform encryption operations. Store the function in an Amazon S3 bucket.

Create an AWS Key Management Service (AWS KMS) customer managed key. Allow the EC2 role to use the KMS key for encryption operations. Store the encrypted data on Amazon S3.

Create an AWS Key Management Service (AWS KMS) customer managed key. Allow the EC2 role to use the KMS key for encryption operations. Store the encrypted data on Amazon Elastic Block Store (Amazon EBS) volumes.

Explanation:

Explanation

Option C is the correct answer because it provides:

AWS KMS for encryption/decryption: AWS KMS provides highly secure, managed encryption services with near real-time performance. It handles key management, rotation, and security best practices with minimal operational overhead.
Amazon S3 for highly available storage: S3 provides 99.999999999% (11 9's) durability and 99.99% availability, meeting the requirement for highly available storage.
Least operational overhead: The solution leverages fully managed AWS services (KMS and S3) rather than requiring manual certificate updates or custom encryption code.

Why other options are incorrect:

Option A: Requires manual certificate updates and doesn't provide the near real-time encryption/decryption capabilities that KMS offers. Secrets Manager is better for storing secrets, not for real-time encryption operations.
Option B: Creates unnecessary complexity with a Lambda function and custom encryption code, requiring ongoing maintenance and security updates for the cryptography library.
Option D: Uses EBS volumes which are attached to specific EC2 instances and don't provide the same level of availability and durability as S3. EBS volumes are not inherently highly available across Availability Zones.

Key AWS services involved:

AWS KMS: Managed encryption service for creating and controlling encryption keys
Amazon S3: Highly durable and available object storage
IAM roles: For secure access control to KMS keys and S3 buckets

This solution provides a secure, scalable, and low-maintenance approach to certificate encryption and storage.

Powered ByGPT-5.2

Comments

Loading comments...