AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A hospital needs to store patient records in an Amazon S3 bucket. The hospital's compliance team must ensure that all protected health information (PHI) is encrypted in transit and at rest. The compliance team must administer the encryption key for data at rest.

Which solution will meet these requirements?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Create a public SSL/TLS certificate in AWS Certificate Manager (ACM). Associate the certificate with Amazon S3. Configure default encryption for each S3 bucket to use server-side encryption with AWS KMS keys (SSE-KMS). Assign the compliance team to manage the KMS keys.

Use the aws:SecureTransport condition on S3 bucket policies to allow only encrypted connections over HTTPS (TLS). Configure default encryption for each S3 bucket to use server-side encryption with S3 managed encryption keys (SSE-S3). Assign the compliance team to manage the SSE-S3 keys.

Use the aws:SecureTransport condition on S3 bucket policies to allow only encrypted connections over HTTPS (TLS). Configure default encryption for each S3 bucket to use server-side encryption with AWS KMS keys (SSE-KMS). Assign the compliance team to manage the KMS keys.

Use the aws:SecureTransport condition on S3 bucket policies to allow only encrypted connections over HTTPS (TLS). Use Amazon Macie to protect the sensitive data that is stored in Amazon S3. Assign the compliance team to manage Macie.

Explanation:

Explanation

Let's analyze each option against the requirements:

Requirements:

Encrypt PHI in transit (HTTPS/TLS)
Encrypt PHI at rest
Compliance team must administer the encryption key for data at rest

Option A Analysis:

Creates SSL/TLS certificate in ACM (good for encryption in transit)
Associates certificate with S3 (not necessary for S3 encryption in transit)
Configures SSE-KMS (good for encryption at rest with customer-managed keys)
Assigns compliance team to manage KMS keys (meets requirement #3)
Issue: Missing the aws:SecureTransport condition to enforce HTTPS-only access

Option B Analysis:

Uses aws:SecureTransport condition (enforces HTTPS/TLS, meets requirement #1)
Configures SSE-S3 (encryption at rest, but with S3-managed keys)
Assigns compliance team to manage SSE-S3 keys (problem: SSE-S3 keys are managed by AWS, not customers)
Issue: SSE-S3 keys cannot be administered by customers - they are fully managed by AWS

Option C Analysis:

Uses aws:SecureTransport condition (enforces HTTPS/TLS, meets requirement #1)
Configures SSE-KMS (encryption at rest with KMS keys, meets requirement #2)
Assigns compliance team to manage KMS keys (meets requirement #3 - KMS keys can be customer-managed)
Perfect: Meets all requirements

Option D Analysis:

Uses aws:SecureTransport condition (enforces HTTPS/TLS, meets requirement #1)
Uses Amazon Macie (for data discovery and classification, not for encryption)
Assigns compliance team to manage Macie (doesn't meet encryption at rest requirement)
Issue: Macie doesn't provide encryption; it's for data discovery and protection, not encryption

Key Points:

aws:SecureTransport condition in S3 bucket policies is the correct way to enforce HTTPS/TLS encryption in transit
SSE-KMS allows customers to manage their own encryption keys through AWS KMS
SSE-S3 uses AWS-managed keys that customers cannot administer
Amazon Macie is for data discovery, classification, and protection, not for encryption implementation

Correct Answer: C - It properly enforces HTTPS with aws:SecureTransport, uses SSE-KMS for encryption at rest with customer-managed keys, and allows the compliance team to administer the KMS keys.

Powered ByGPT-5.2

Comments

Loading comments...