Logo
AWS Certified Solutions Architect - Associate / Question #1510 of 1019

Question #1510

A solutions architect is designing an asynchronous application to process transaction reconciliation requests for a financial institution. The application must be secure and guarantee that each request is processed at least once. Which solution will meet these requirements MOST cost-effectively?

A

Use AWS Lambda event source mapping. Set Amazon Simple Queue Service (Amazon SQS) standard queues as the event source. Use AWS Key Management Service (SSE-KMS) for encryption. Add the KMS:Decrypt permission for the Lambda execution role.
B

Use AWS Lambda event source mapping. Use Amazon Simple Queue Service (Amazon SQS) FIFO queues as the event source. Use SQS managed encryption keys (SSE-SQS) for encryption. Add the encryption key invocation permission for the Lambda function.
C

Use the AWS Lambda event source mapping. Set Amazon Simple Queue Service (Amazon SQS) FIFO queues as the event source. Use AWS KMS keys (SSE-KMS). Add the KMS:Decrypt permission for the Lambda execution role.
D

Use the AWS Lambda event source mapping. Set Amazon Simple Queue Service (Amazon SQS) standard queues as the event source. Use AWS KMS keys (SSE-KMS) for encryption. Add the encryption key invocation permission for the Lambda function.

Explanation

The correct answer is A because:
1. SQS Standard Queues: Provide at-least-once message delivery, meeting the requirement for processing each request at least once, and are more cost-effective than FIFO queues.
2. SSE-KMS Encryption: Ensures data security using AWS KMS-managed keys, which offer better control and compliance than SSE-SQS.
3. KMS:Decrypt Permission: Required for Lambda to decrypt messages encrypted via KMS, ensuring proper access.

Other options are incorrect because:
- B/C: Use FIFO queues, which are more expensive and unnecessary since the requirement is 'at least once' (not 'exactly once').
- D: Mentions 'encryption key invocation permission,' which is not a valid KMS permission (correct permission is KMS:Decrypt).

Key Points:
- Use SQS Standard Queues for at-least-once delivery when cost is a priority.
- SSE-KMS provides stronger security controls than SSE-SQS.
- Lambda requires KMS:Decrypt permission to process KMS-encrypted SQS messages.

Answer

The correct answer is: A