Logo
AWS Certified Solutions Architect - Professional / Question #1011 of 529

Question #1011

A company must utilize an AWS Transfer Family SFTP-enabled server linked to an Amazon S3 bucket to receive daily data feeds from a third-party vendor. The vendor encrypts the data using GNU Privacy Guard (GPG) encryption. The company requires an automated solution to decrypt the data immediately upon receipt.

The solutions architect is tasked with implementing a Transfer Family managed workflow. The company has already established an IAM service role with a policy granting access to AWS Secrets Manager and the S3 bucket. The role's trust relationship permits the transfer.amazonaws.com service to assume the role.

What should the solutions architect do next to enable automatic decryption of the data?

A

Store the GPG public key in Secrets Manager. Add a nominal step in the Transfer Family managed workflow to decrypt files. Configure GPG encryption parameters in the nominal step. Associate the workflow with the Transfer Family server.
B

Store the GPG private key in Secrets Manager. Add an exception-handling step in the Transfer Family managed workflow to decrypt files. Configure GPG encryption parameters in the exception handler. Associate the workflow with the SFTP user.
C

Store the GPG private key in Secrets Manager. Add a nominal step in the Transfer Family managed workflow to decrypt files. Configure GPG decryption parameters in the nominal step. Associate the workflow with the Transfer Family server.
D

Store the GPG public key in Secrets Manager. Add an exception-handling step in the Transfer Family managed workflow to decrypt files. Configure GPG decryption parameters in the exception handler. Associate the workflow with the SFTP user.

Explanation

Answer C is correct because:
1. Private Key Requirement: Decrypting GPG-encrypted data requires the private key (not the public key), which must be securely stored in AWS Secrets Manager.
2. Nominal Workflow Step: The decryption process should be part of the standard workflow (nominal step), not an exception-handling step, as it is a required action for every file received.
3. Workflow Association: The workflow must be associated with the Transfer Family server to ensure automatic execution upon file upload.

Why other options are incorrect:
- A/D: Use the public key, which is only for encryption, not decryption.
- B: Uses an exception-handling step, which is for error recovery, not routine decryption.
- D: Incorrectly associates the workflow with the SFTP user instead of the server.

Key Points:
- Use AWS Transfer Family workflows to automate file processing.
- Store decryption keys (private keys) in Secrets Manager.
- Nominal steps handle standard processing, while exception steps address failures.

Answer

The correct answer is: C