Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 929 discussion

A C F is corrcet

Does a SNS topic need to decrypt an encrypted message in order to deliver it to its subscribers? If so, option "C" should be in. If not, it should be out. And I think is out, unless SNS topic needs to apply certain logic to the message prior to subscription deliver (filters). This question requires a CSE-KMS approach, which force the Lambda function to encrypt the message before publishing, so option "F" is a must (I think everybody here is on the same page with this one). Also, option "A" should be obvious by now. And even though option "D" is redundant, it's technically correct, so it's a better choice.

For C - https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic.html Permissions for custom KMS keys – If using a custom KMS key, include the following in the key policy to allow Amazon SNS to encrypt and decrypt messages:

A - This is a must-do. B - As question stated, we have no reason to replace the keys. C - This ensures the function can encrypt messages when publishing. D - While specifying the Lambda function's ARN in the SNS topic's resource policy is part of the solution (it's how you grant the "sns:Publish" permission), it's not sufficient on its own. You also need the KMS key policy and the Lambda execution role permissions. This option is a part of option A, not a standalone answer. E - The Lambda function interacts directly with the SNS topic, and API Gateway is not relevant. F - Yes, so that this role will have policies that allow the "kms:Encrypt", "kms:GenerateDataKey," and "kms:Decrypt" actions on the specific KMS key used to encrypt the topic.

I don't understand why lambda needs KMS to encrypt message. In this scenario, the Lambda function does not need direct permissions to use the KMS key because the encryption and decryption are fully managed by Amazon SNS as part of the SSE-KMS feature. SNS is the only service lambda will talk to, The Lambda interacts with SNS using HTTPS and does not directly deal with the encrypted data or the KMS key. so Lambda only needs the permission to publish messages to the SNS topic. I would like to choose F only if #F answer can be updated as below: F. Configure a Lambda execution role that has the necessary IAM permissions to publish to the SNS topic. A: Create a resource policy for the SNS topic => grants lambda the ability to publish messages to the topic C: The KMS key resource policy must allow SNS to use the key for encryption and decryption. F: Configure the Lambda Execution Role => SNS permissions to publish to the topic

#A: This is essential because the resource policy on the SNS topic will define which entities (like the Lambda function) are allowed to publish messages to it. #D: By specifying the Lambda function's ARN in the SNS topic policy, you clearly grant access only to that specific Lambda function. #F: Since the SNS topic uses a customer-managed KMS key, the Lambda execution role must have the necessary permissions to use that key for encryption/decryption when publishing messages.

D is correct too and С is not clear, but seems like it is about KMS policy and adding permissions for sns service which has to be added in case of CMK

my answer

ChatGPT agrees with me

Answer is ADF