ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 364 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 364
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A hospital is designing a new application that gathers symptoms from patients. The hospital has decided to use Amazon Simple Queue Service (Amazon SQS) and Amazon Simple Notification Service (Amazon SNS) in the architecture.

A solutions architect is reviewing the infrastructure design. Data must be encrypted at rest and in transit. Only authorized personnel of the hospital should be able to access the data.

Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

  • A. Turn on server-side encryption on the SQS components. Update the default key policy to restrict key usage to a set of authorized principals.
  • B. Turn on server-side encryption on the SNS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply a key policy to restrict key usage to a set of authorized principals.
  • C. Turn on encryption on the SNS components. Update the default key policy to restrict key usage to a set of authorized principals. Set a condition in the topic policy to allow only encrypted connections over TLS.
  • D. Turn on server-side encryption on the SQS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply a key policy to restrict key usage to a set of authorized principals. Set a condition in the queue policy to allow only encrypted connections over TLS.
  • E. Turn on server-side encryption on the SQS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply an IAM policy to restrict key usage to a set of authorized principals. Set a condition in the queue policy to allow only encrypted connections over TLS.
Show Suggested Answer Hide Answer
Suggested Answer: BD 🗳️
by [deleted] at March 10, 2023, 1:54 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
awsgeek75
Highly Voted 5 months, 1 week ago
My god! Every other question is about SQS! I thought this was AWS Solution Architect test not "How to solve any problem in AWS using SQS" test!
upvoted 15 times
...
fkie4
Highly Voted 1 year, 3 months ago
Selected Answer: BD
read this: https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html
upvoted 15 times
Gooniegoogoo
11 months, 4 weeks ago
good call.. that confirms on that page: Important All requests to topics with SSE enabled must use HTTPS and Signature Version 4. For information about compatibility of other services with encrypted topics, see your service documentation. Amazon SNS only supports symmetric encryption KMS keys. You cannot use any other type of KMS key to encrypt your service resources. For help determining whether a KMS key is a symmetric encryption key, see Identifying asymmetric KMS keys.
upvoted 4 times
...
...
pentium75
Most Recent 5 months, 3 weeks ago
Selected Answer: BD
A and C involve 'updating the default key policy' which is not something you. Either you create a key policy, OR AWS assigns THE "default key policy". E 'applies an IAM policy to restrict key usage to a set of authorized principals' which is not how IAM policies work. You can 'apply an IAM policy to restrict key usage', but it would be restricted to the principals who have the policy attached; you can't specify them in the policy. Leaves B and D. That B lacks the TLS statement is irrelevant because "all requests to topics with SSE enabled must use HTTPS" anyway.
upvoted 6 times
dkw2342
3 months, 2 weeks ago
Yes, BD is correct. "All requests to queues with SSE enabled must use HTTPS and Signature Version 4." -> valid for SNS and SQS alike: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html "Set a condition in the queue policy to allow only encrypted connections over TLS." refers to the "aws:SecureTransport" condition, but it's actually redundant.
upvoted 2 times
...
...
TariqKipkemei
1 year, 1 month ago
Selected Answer: CD
Its only options C and D that covers encryption on transit, encryption at rest and a restriction policy.
upvoted 3 times
Lalo
1 year ago
Answer is BD SNS: AWS KMS, key policy, SQS: AWS KMS, Key policy
upvoted 4 times
...
...
luisgu
1 year, 1 month ago
Selected Answer: BD
"IAM policies you can't specify the principal in an identity-based policy because it applies to the user or role to which it is attached" reference: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/security_iam_service-with-iam.html that excludes E
upvoted 2 times
...
imvb88
1 year, 2 months ago
Selected Answer: CD
Encryption at transit = use SSL/TLS -> rule out A,B Encryption at rest = encryption on components -> keep C, D, E KMS always need a key policy, IAM is optional -> E out -> C, D left, one for SNS, one for SQS. TLS: checked, encryption on components: checked
upvoted 4 times
Lalo
1 year ago
Answer is BD SNS: AWS KMS, key policy, SQS: AWS KMS, Key policy
upvoted 4 times
...
imvb88
1 year, 2 months ago
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-data-encryption.html You can protect data in transit using Secure Sockets Layer (SSL) or client-side encryption. You can protect data at rest by requesting Amazon SQS to encrypt your messages before saving them to disk in its data centers and then decrypt them when the messages are received. https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html A key policy is a resource policy for an AWS KMS key. Key policies are the primary way to control access to KMS keys. Every KMS key must have exactly one key policy. The statements in the key policy determine who has permission to use the KMS key and how they can use it. You can also use IAM policies and grants to control access to the KMS key, but every KMS key must have a key policy.
upvoted 2 times
...
...
MarkGerwich
1 year, 3 months ago
CD B does not include encryption in transit.
upvoted 3 times
Bofi
1 year, 3 months ago
That was my objection toward option B. CD cover both encryption at Rest and Server-Side_Encryption
upvoted 1 times
...
MssP
1 year, 3 months ago
in transit is included in D. With C, not include encrytion at rest.... Server-side will include it.
upvoted 1 times
...
...
Maximus007
1 year, 3 months ago
ChatGPT returned AD as a correct answer)
upvoted 1 times
...
cegama543
1 year, 3 months ago
Selected Answer: BE
B: To encrypt data at rest, we can use a customer-managed key stored in AWS KMS to encrypt the SNS components. E: To restrict access to the data and allow only authorized personnel to access the data, we can apply an IAM policy to restrict key usage to a set of authorized principals. We can also set a condition in the queue policy to allow only encrypted connections over TLS to encrypt data in transit.
upvoted 3 times
...
Karlos99
1 year, 3 months ago
Selected Answer: BD
For a customer managed KMS key, you must configure the key policy to add permissions for each queue producer and consumer. https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html
upvoted 4 times
...
[Removed]
1 year, 3 months ago
Selected Answer: BE
bebebe
upvoted 1 times
[Removed]
1 year, 3 months ago
bdbdbdbd All KMS keys must have a key policy. IAM policies are optional.
upvoted 7 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago