Answer-first summary for fast verification
Answer: Turn on server-side encryption on the SNS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply a key policy to restrict key usage to a set of authorized principals., Turn on server-side encryption on the SQS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply a key policy to restrict key usage to a set of authorized principals. Set a condition in the queue policy to allow only encrypted connections over TLS.
## Explanation **Correct Answers: B and D** **Why B is correct:** - SNS supports server-side encryption (SSE) using AWS KMS customer managed keys - Applying a key policy to restrict key usage to authorized principals ensures only authorized hospital personnel can access the data - This addresses encryption at rest for SNS components **Why D is correct:** - SQS supports server-side encryption (SSE) using AWS KMS customer managed keys - Applying a key policy (not IAM policy) to restrict key usage ensures proper key-level authorization - Setting a condition in the queue policy to allow only encrypted connections over TLS ensures encryption in transit - This addresses both encryption at rest (via SSE) and encryption in transit (via TLS requirement) **Why other options are incorrect:** **A:** Incorrect because it doesn't specify using AWS KMS customer managed key and doesn't address encryption in transit. **C:** Incorrect because it doesn't specify using AWS KMS customer managed key for SNS encryption, and SNS uses key policies (not topic policies) for restricting key usage. **E:** Incorrect because it suggests applying an IAM policy to restrict key usage, but for KMS keys, you should use key policies (not IAM policies) to control access to the encryption keys themselves. **Key Points:** 1. **Encryption at rest:** Achieved through server-side encryption (SSE) using AWS KMS customer managed keys for both SQS and SNS 2. **Encryption in transit:** Achieved by requiring TLS connections through queue/topic policies 3. **Access control:** Achieved through KMS key policies that restrict which principals can use the encryption keys 4. **Customer managed keys** provide more control over key policies compared to AWS managed keys
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A hospital is designing a new application that gathers symptoms from patients. The hospital has decided to use Amazon Simple Queue Service (Amazon SQS) and Amazon Simple Notification Service (Amazon SNS) in the architecture. A solutions architect is reviewing the infrastructure design. Data must be encrypted at rest and in transit. Only authorized personnel of the hospital should be able to access the data. Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)
A
Turn on server-side encryption on the SQS components. Update the default key policy to restrict key usage to a set of authorized principals.
B
Turn on server-side encryption on the SNS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply a key policy to restrict key usage to a set of authorized principals.
C
Turn on encryption on the SNS components. Update the default key policy to restrict key usage to a set of authorized principals. Set a condition in the topic policy to allow only encrypted connections over TLS.
D
Turn on server-side encryption on the SQS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply a key policy to restrict key usage to a set of authorized principals. Set a condition in the queue policy to allow only encrypted connections over TLS.
E
Turn on server-side encryption on the SQS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply an IAM policy to restrict key usage to a set of authorized principals. Set a condition in the queue policy to allow only encrypted connections over TLS.