Q61 — AWS DVA-C02 Ch.2
Question 61 of 100 | ← Chapter 2
An application running on an Amazon EC2 instance retrieves messages from a standard Amazon SQS queue. The requirement is that all messages must be encrypted at rest. The developer is instructed to use a solution that supports centralized key management and minimizes ongoing support effort.
- A. Encrypt individual messages using client-side encryption with a customer-managed key, then write them to the SQS queue.
- B. Use the SQS Extended Client Library with Amazon S3 and client-side encryption to encrypt individual messages.
- C. Create an SQS queue and enable server-side encryption (SSE) using AWS KMS to encrypt the queue. ✓
- D. Create an SQS queue and use client-side encryption to encrypt the queue itself.
Correct Answer: C. Create an SQS queue and enable server-side encryption (SSE) using AWS KMS to encrypt the queue.
Explanation
Amazon SQS Server-Side Encryption (SSE) with AWS KMS automatically encrypts messages at rest as soon as they are received by SQS and decrypts them only when delivered to authorized consumers. It provides centralized key management via AWS KMS, requires zero code changes, and eliminates operational overhead associated with client-side encryption (e.g., key rotation, encryption/decryption logic). Option A and B involve complex client-side implementation and maintenance. Option D is invalid—queues themselves cannot be 'client-side encrypted'; encryption applies to message payloads. Therefore, Option C is the correct, fully managed, and compliant solution.