Logo
AWS Certified Developer – Associate / Question #1107 of 557

Question #1107

A developer is building a healthcare application that processes sensitive patient records. The application uses Amazon CloudFront for content delivery and AWS Lambda functions to process data. Each transaction includes protected health information (PHI) that must be encrypted at the field level. Only authorized backend services should be able to decrypt specific PHI fields. Which solution meets these requirements?

A

Use Lambda@Edge to encrypt PHI fields with a symmetric AWS KMS key. Configure backend Lambda functions to decrypt the data using the same key.
B

Enable AWS Shield Advanced on the CloudFront distribution for DDoS protection. Use Lambda functions with AWS KMS to encrypt sensitive data before storage.
C

Configure CloudFront field-level encryption with an asymmetric AWS KMS key. Specify the PHI fields to encrypt and restrict decryption permissions to authorized Lambda functions.
D

Set up CloudFront to forward all headers to the origin server. Use API Gateway with AWS KMS to encrypt data at rest in Amazon S3.

Explanation

Answer C is correct because:
1. Field-Level Encryption: CloudFront natively supports field-level encryption, allowing specific fields (e.g., PHI) to be encrypted before reaching the origin.
2. Asymmetric KMS Keys: Asymmetric keys ensure data is encrypted with a public key, while decryption requires a private key. This restricts decryption to authorized backend Lambda functions with the private key.
3. Security Compliance: PHI requires strict access controls, and asymmetric encryption ensures only permitted services can decrypt sensitive data.

Why other options are incorrect:
- A: Symmetric KMS keys allow both encryption and decryption with the same key, posing a risk if unauthorized services gain access.
- B: AWS Shield Advanced protects against DDoS but doesn't address field-level encryption requirements.
- D: Encrypting data at rest in S3 does not fulfill the requirement for field-level encryption during processing/transit.

Key Points:
- Use CloudFront field-level encryption for granular field protection.
- Asymmetric KMS keys enforce decryption permissions via private key access.
- PHI mandates strict encryption and access controls under regulations like HIPAA.

Answer

The correct answer is: C