AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A hospital is designing a new application that gathers symptoms from patients. The hospital has decided to use Amazon Simple Queue Service (Amazon SQS) and Amazon Simple Notification Service (Amazon SNS) in the architecture. A solutions architect is reviewing the infrastructure design. Data must be encrypted at rest and in transit. Only authorized personnel of the hospital should be able to access the data. Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Turn on server-side encryption on the SQS components. Update the default key policy to restrict key usage to a set of authorized principals.

Turn on server-side encryption on the SNS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply a key policy to restrict key usage to a set of authorized principals.

Turn on encryption on the SNS components. Update the default key policy to restrict key usage to a set of authorized principals. Set a condition in the topic policy to allow only encrypted connections over TLS.

Turn on server-side encryption on the SQS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply a key policy to restrict key usage to a set of authorized principals. Set a condition in the queue policy to allow only encrypted connections over TLS.

Turn on server-side encryption on the SQS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply an IAM policy to restrict key usage to a set of authorized principals. Set a condition in the queue policy to allow only encrypted connections over TLS.

Explanation:

Explanation

Correct Answers: B and D

Why B is correct:

SNS supports server-side encryption (SSE) using AWS KMS customer managed keys
Applying a key policy to restrict key usage to authorized principals ensures only authorized hospital personnel can access the data
This addresses encryption at rest for SNS components

Why D is correct:

SQS supports server-side encryption (SSE) using AWS KMS customer managed keys
Applying a key policy (not IAM policy) to restrict key usage ensures proper key-level authorization
Setting a condition in the queue policy to allow only encrypted connections over TLS ensures encryption in transit
This addresses both encryption at rest (via SSE) and encryption in transit (via TLS requirement)

Why other options are incorrect:

A: Incorrect because it doesn't specify using AWS KMS customer managed key and doesn't address encryption in transit.

C: Incorrect because it doesn't specify using AWS KMS customer managed key for SNS encryption, and SNS uses key policies (not topic policies) for restricting key usage.

E: Incorrect because it suggests applying an IAM policy to restrict key usage, but for KMS keys, you should use key policies (not IAM policies) to control access to the encryption keys themselves.

Key Points:

Encryption at rest: Achieved through server-side encryption (SSE) using AWS KMS customer managed keys for both SQS and SNS
Encryption in transit: Achieved by requiring TLS connections through queue/topic policies
Access control: Achieved through KMS key policies that restrict which principals can use the encryption keys
Customer managed keys provide more control over key policies compared to AWS managed keys

Powered ByGPT-5.2

Comments

Loading comments...