Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 359 discussion

Option C is correct because it allows the compliance team to manage the KMS keys used for server-side encryption, thereby providing the necessary control over the encryption keys. Additionally, the use of the "aws:SecureTransport" condition on the bucket policy ensures that all connections to the S3 bucket are encrypted in transit. option B might be misleading but using SSE-S3, the encryption keys are managed by AWS and not by the compliance team

Not A, Certificate Manager has nothing to do with S3 Not B, SSE-S3 does not allow compliance team to manage the key Not D, Macie is for identifying sensitive data, not protecting it

Macie does not encrypt the data like the question is asking https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html Also, SSE-S3 encryption is fully managed by AWS so the Compliance Team can't administer this.

D - Can't be because - Amazon Macie is a data security service that uses machine learning (ML) and pattern matching to discover and help protect your sensitive data. Macie discovers sensitive information, can help in protection but can't protect

B can work if they do not want control over encryption keys.

Option A proposes creating a public SSL/TLS certificate in AWS Certificate Manager and associating it with Amazon S3. This step ensures that data is encrypted in transit. Then, the default encryption for each S3 bucket will be configured to use server-side encryption with AWS KMS keys (SSE-KMS), which will provide encryption at rest for the data stored in S3. In this solution, the compliance team will manage the KMS keys, ensuring that they control the encryption keys for data at rest.

Option C seems to be the correct answer, option A is also close but ACM cannot be integrated with Amazon S3 bucket directly, hence, u can not attached TLS to S3. You can only attached TLS certificate to ALB, API Gateway and CloudFront and maybe Global Accelerator but definitely NOT EC2 instance and S3 bucket

D makes no sense.

Correct Answer is "C" “D” is not correct because Amazon Macie securely stores your data at rest using AWS encryption solutions. Macie encrypts data, such as findings, using an AWS managed key from AWS Key Management Service (AWS KMS). However, in the question there is a requirement that the compliance team must administer the encryption key for data at rest. https://docs.aws.amazon.com/macie/latest/user/data-protection.html

Option C will meet the requirements. Explanation: The compliance team needs to administer the encryption key for data at rest in order to ensure that protected health information (PHI) is encrypted in transit and at rest. Therefore, we need to use server-side encryption with AWS KMS keys (SSE-KMS). The default encryption for each S3 bucket can be configured to use SSE-KMS to ensure that all new objects in the bucket are encrypted with KMS keys. Additionally, we can configure the S3 bucket policies to allow only encrypted connections over HTTPS (TLS) using the aws:SecureTransport condition. This ensures that the data is encrypted in transit.

We must provide encrypted in transit and at rest. Macie is needed to discover and recognize any PII or Protected Health Information. We already know that the hospital is working with the sensitive data ) so protect them witn KMS and SSL. Answer D is unnecessary

Macie does not encrypt the data like the question is asking https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html Also, SSE-S3 encryption is fully managed by AWS so the Compliance Team can't administer this.

C [Correct]: Ensures Https only traffic (encrypted transit), Enables compliance team to govern encryption key. D [Incorrect]: Misleading; PHI is required to be encrypted not discovered. Maice is a discovery service. (https://aws.amazon.com/macie/)

Correct answer should be D. "Use Amazon Macie to protect the sensitive data..." As requirement says "The hospitals's compliance team must ensure that all protected health information (PHI) is encrypted in transit and at rest." Macie protects personal record such as PHI. Macie provides you with an inventory of your S3 buckets, and automatically evaluates and monitors the buckets for security and access control. If Macie detects a potential issue with the security or privacy of your data, such as a bucket that becomes publicly accessible, Macie generates a finding for you to review and remediate as necessary.

Option C should be