Q32 — AWS DVA-C02 Ch.1
Question 32 of 100 | ← Chapter 1
A development team is evaluating a solution to process and review medical claims. Users log in to access information related to their medical and financial status. As part of the application, sensitive files—including medical records, medical images, bank statements, and receipts—are uploaded to Amazon S3. All files must be encrypted in transit and at rest. All access to the files must be logged for auditing.
- A. Use S3 default encryption with Advanced Encryption Standard 256 (AES-256) on the target bucket.
- B. Use Amazon Cognito for authorization and authentication to secure the application and documents.
- C. Use AWS Lambda to encrypt and decrypt objects as they are placed into the S3 bucket.
- D. Use client-side encryption/decryption with Amazon S3 and AWS KMS. ✓
Correct Answer: D. Use client-side encryption/decryption with Amazon S3 and AWS KMS.
Explanation
Option D is the most secure approach. Client-side encryption with AWS KMS provides granular control over encryption keys and ensures data is encrypted before leaving the client—guaranteeing confidentiality in transit and at rest. It also supports detailed audit logging of key usage via AWS CloudTrail. Option A (S3 default encryption) lacks fine-grained key control and doesn’t cover transit encryption contextually. Option B (Amazon Cognito) handles identity but not data encryption. Option C (Lambda-based encryption) adds operational complexity and potential failure points. Thus, D best satisfies security and audit requirements for sensitive healthcare and financial data.