Question #888
A financial institution uses Amazon SQS to process transaction data between services. They must ensure that all messages stored in the queue are encrypted to meet compliance standards. The solution should require minimal configuration and management. Which approach satisfies these requirements?
Enable server-side encryption (SSE) for the SQS queue using the Amazon SQS managed key (SSE-SQS).
Enforce HTTPS connections by applying a queue policy with the AWS:SecureTransport condition.
Generate an SSL/TLS certificate with AWS Certificate Manager and attach it to the queue.
Include an encryption flag in the message attributes when sending messages to the queue.
Explanation
Answer A is correct because:
- SSE-SQS encrypts messages at rest using AWS-managed keys, requiring no additional key management.
- It meets compliance standards by ensuring all stored messages are encrypted.
- Minimal configuration: Enabling SSE-SQS is a simple queue setting.
Other options are incorrect because:
- B enforces HTTPS (encryption in transit), not encryption at rest.
- C involves SSL/TLS certificates (for transport encryption), irrelevant to stored data encryption.
- D requires manual client-side encryption, adding complexity and management overhead.
Key Points: Use SSE-SQS for server-side encryption at rest with AWS-managed keys to minimize configuration and ensure compliance.
Answer
The correct answer is: A