Learn the necessary steps to allow an AWS Lambda function to securely publish protected health information (PHI) to an encrypted Amazon SNS topic using customer managed KMS keys.
Table of Contents
Question
A healthcare company is developing an AWS Lambda function that publishes notifications to an encrypted Amazon Simple Notification Service (Amazon SNS) topic. The notifications contain protected health information (PHI).
The SNS topic uses AWS Key Management Service (AWS KMS) customer managed keys for encryption. The company must ensure that the application has the necessary permissions to publish messages securely to the SNS topic.
Which combination of steps will meet these requirements? (Choose three.)
A. Create a resource policy for the SNS topic that allows the Lambda function to publish messages to the topic.
B. Use server-side encryption with AWS KMS keys (SSE-KMS) for the SNS topic instead of customer managed keys.
C. Create a resource policy for the encryption key that the SNS topic uses that has the necessary AWS KMS permissions.
D. Specify the Lambda function’s Amazon Resource Name (ARN) in the SNS topic’s resource policy.
E. Associate an Amazon API Gateway HTTP API with the SNS topic to control access to the topic by using API Gateway resource policies.
F. Configure a Lambda execution role that has the necessary IAM permissions to use a customer managed key in AWS KMS.
Answer
A. Create a resource policy for the SNS topic that allows the Lambda function to publish messages to the topic.
C. Create a resource policy for the encryption key that the SNS topic uses that has the necessary AWS KMS permissions.
F. Configure a Lambda execution role that has the necessary IAM permissions to use a customer managed key in AWS KMS.
Explanation
To enable an AWS Lambda function to securely publish PHI data to an encrypted Amazon SNS topic that uses customer managed AWS KMS keys, you need to:
A. Create a resource policy for the SNS topic that allows the Lambda function to publish messages to the topic. This policy should specify the Lambda function’s Amazon Resource Name (ARN) and grant it the necessary SNS permissions like sns:Publish.
C. Create a resource policy for the customer managed KMS key that the SNS topic uses for encryption. This policy needs to grant the Lambda function the required KMS permissions to use the key for encryption, such as kms:Encrypt, kms:Decrypt, kms:GenerateDataKey, etc.
F. Configure an IAM execution role for the Lambda function that includes IAM permissions to use the customer managed KMS key. The role should have a policy that allows the relevant KMS actions on the specific key ARN.
Together, these three steps ensure that:
1) The SNS topic allows the Lambda function to publish to it
2) The KMS key allows the Lambda function to use it for encryption
3) The Lambda function has an IAM role with permissions to actually use that specific KMS key
The other options are incorrect because:
B) Using AWS managed SSE-KMS keys instead of customer managed keys would not meet the requirement to use customer managed keys.
D) The Lambda function’s ARN should be specified in the SNS topic policy, not the other way around.
E) Using API Gateway to control SNS topic access is not required and would add unnecessary complexity.
So in summary, the correct combination is steps A, C and F. This properly configures the resource policies and permissions to allow the Lambda function to securely publish PHI data to the encrypted SNS topic using customer managed KMS keys.
Amazon AWS Certified Solutions Architect – Associate SAA-C03 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Associate SAA-C03 exam and earn Amazon AWS Certified Solutions Architect – Associate SAA-C03 certification.