Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Amazon Discussions

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 364 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 364
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A hospital is designing a new application that gathers symptoms from patients. The hospital has decided to use Amazon Simple Queue Service (Amazon SQS) and Amazon Simple Notification Service (Amazon SNS) in the architecture.

A solutions architect is reviewing the infrastructure design. Data must be encrypted at rest and in transit. Only authorized personnel of the hospital should be able to access the data.

Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

  • A. Turn on server-side encryption on the SQS components. Update the default key policy to restrict key usage to a set of authorized principals.
  • B. Turn on server-side encryption on the SNS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply a key policy to restrict key usage to a set of authorized principals.
  • C. Turn on encryption on the SNS components. Update the default key policy to restrict key usage to a set of authorized principals. Set a condition in the topic policy to allow only encrypted connections over TLS.
  • D. Turn on server-side encryption on the SQS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply a key policy to restrict key usage to a set of authorized principals. Set a condition in the queue policy to allow only encrypted connections over TLS.
  • E. Turn on server-side encryption on the SQS components by using an AWS Key Management Service (AWS KMS) customer managed key. Apply an IAM policy to restrict key usage to a set of authorized principals. Set a condition in the queue policy to allow only encrypted connections over TLS.
Show Suggested Answer Hide Answer
Suggested Answer: CD 🗳️
by [deleted] at March 10, 2023, 1:54 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
fkie4
Highly Voted 1 year, 3 months ago
Selected Answer: BD
read this: https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html
upvoted 13 times
Gooniegoogoo
1 year ago
good call.. that confirms on that page: Important All requests to topics with SSE enabled must use HTTPS and Signature Version 4. For information about compatibility of other services with encrypted topics, see your service documentation. Amazon SNS only supports symmetric encryption KMS keys. You cannot use any other type of KMS key to encrypt your service resources. For help determining whether a KMS key is a symmetric encryption key, see Identifying asymmetric KMS keys.
upvoted 3 times
...
...
awsgeek75
Highly Voted 5 months, 2 weeks ago
My god! Every other question is about SQS! I thought this was AWS Solution Architect test not "How to solve any problem in AWS using SQS" test!
upvoted 10 times
...
pentium75
Most Recent 6 months, 1 week ago
Selected Answer: BD
A and C involve 'updating the default key policy' which is not something you. Either you create a key policy, OR AWS assigns THE "default key policy". E 'applies an IAM policy to restrict key usage to a set of authorized principals' which is not how IAM policies work. You can 'apply an IAM policy to restrict key usage', but it would be restricted to the principals who have the policy attached; you can't specify them in the policy. Leaves B and D. That B lacks the TLS statement is irrelevant because "all requests to topics with SSE enabled must use HTTPS" anyway.
upvoted 5 times
dkw2342
4 months ago
Yes, BD is correct. "All requests to queues with SSE enabled must use HTTPS and Signature Version 4." -> valid for SNS and SQS alike: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html "Set a condition in the queue policy to allow only encrypted connections over TLS." refers to the "aws:SecureTransport" condition, but it's actually redundant.
upvoted 1 times
...
...
TariqKipkemei
1 year, 1 month ago
Selected Answer: CD
Its only options C and D that covers encryption on transit, encryption at rest and a restriction policy.
upvoted 2 times
Lalo
1 year ago
Answer is BD SNS: AWS KMS, key policy, SQS: AWS KMS, Key policy
upvoted 3 times
...
...
luisgu
1 year, 1 month ago
Selected Answer: BD
"IAM policies you can't specify the principal in an identity-based policy because it applies to the user or role to which it is attached" reference: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/security_iam_service-with-iam.html that excludes E
upvoted 1 times
...
imvb88
1 year, 2 months ago
Selected Answer: CD
Encryption at transit = use SSL/TLS -> rule out A,B Encryption at rest = encryption on components -> keep C, D, E KMS always need a key policy, IAM is optional -> E out -> C, D left, one for SNS, one for SQS. TLS: checked, encryption on components: checked
upvoted 3 times
Lalo
1 year ago
Answer is BD SNS: AWS KMS, key policy, SQS: AWS KMS, Key policy
upvoted 2 times
...
imvb88
1 year, 2 months ago
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-data-encryption.html You can protect data in transit using Secure Sockets Layer (SSL) or client-side encryption. You can protect data at rest by requesting Amazon SQS to encrypt your messages before saving them to disk in its data centers and then decrypt them when the messages are received. https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html A key policy is a resource policy for an AWS KMS key. Key policies are the primary way to control access to KMS keys. Every KMS key must have exactly one key policy. The statements in the key policy determine who has permission to use the KMS key and how they can use it. You can also use IAM policies and grants to control access to the KMS key, but every KMS key must have a key policy.
upvoted 1 times
...
...
MarkGerwich
1 year, 3 months ago
CD B does not include encryption in transit.
upvoted 3 times
MssP
1 year, 3 months ago
in transit is included in D. With C, not include encrytion at rest.... Server-side will include it.
upvoted 1 times
...
Bofi
1 year, 3 months ago
That was my objection toward option B. CD cover both encryption at Rest and Server-Side_Encryption
upvoted 1 times
...
...
Maximus007
1 year, 3 months ago
ChatGPT returned AD as a correct answer)
upvoted 1 times
...
cegama543
1 year, 3 months ago
Selected Answer: BE
B: To encrypt data at rest, we can use a customer-managed key stored in AWS KMS to encrypt the SNS components. E: To restrict access to the data and allow only authorized personnel to access the data, we can apply an IAM policy to restrict key usage to a set of authorized principals. We can also set a condition in the queue policy to allow only encrypted connections over TLS to encrypt data in transit.
upvoted 2 times
...
Karlos99
1 year, 3 months ago
Selected Answer: BD
For a customer managed KMS key, you must configure the key policy to add permissions for each queue producer and consumer. https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html
upvoted 3 times
...
[Removed]
1 year, 3 months ago
Selected Answer: BE
bebebe
upvoted 1 times
[Removed]
1 year, 3 months ago
bdbdbdbd All KMS keys must have a key policy. IAM policies are optional.
upvoted 6 times
...
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
ex Want to SAVE BIG on Certification Exam Prep?
close
ex Unlock All Exams with ExamTopics Pro 75% Off
  • arrow Choose From 1000+ Exams
  • arrow Access to 10 Exams per Month
  • arrow PDF Format Available
  • arrow Inline Discussions
  • arrow No Captcha/Robot Checks
Limited Time Offer
Ends in

Claim Offer Now
286 people claimed it in the last 6 hours