Q32 — AWS DVA-C02 Ch.1

Question 32 of 100 | ← Chapter 1

A development team is evaluating a solution to process and review medical claims. Users log in to access information related to their medical and financial status. As part of the application, sensitive files—including medical records, medical images, bank statements, and receipts—are uploaded to Amazon S3. All files must be encrypted in transit and at rest. All access to the files must be logged for auditing.

Correct Answer: D. Use client-side encryption/decryption with Amazon S3 and AWS KMS.

Explanation

Option D is the most secure approach. Client-side encryption with AWS KMS provides granular control over encryption keys and ensures data is encrypted before leaving the client—guaranteeing confidentiality in transit and at rest. It also supports detailed audit logging of key usage via AWS CloudTrail. Option A (S3 default encryption) lacks fine-grained key control and doesn’t cover transit encryption contextually. Option B (Amazon Cognito) handles identity but not data encryption. Option C (Lambda-based encryption) adds operational complexity and potential failure points. Thus, D best satisfies security and audit requirements for sensitive healthcare and financial data.