Exam AWS Certified Developer Associate All Questions

View all questions & answers for the AWS Certified Developer Associate exam

Exam AWS Certified Developer Associate topic 1 question 145 discussion

Exam question from Amazon's AWS Certified Developer Associate

Question #: 145
Topic #: 1

[All AWS Certified Developer Associate Questions]

A developer creates an AWS Lambda function to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic. All message content must be encrypted in transit and at rest between Lambda and Amazon SNS.
A part of the Lambda execution role is as follows:

Which combination of steps should the developer take to meet these requirements? (Choose two.)

A. Enable server-side encryption on the SNS topic.
B. Add a Deny statement to the Lambda execution role. Specify the SNS topic ARN as the resource. Specify "aws:SecureTransport": "trueג€ as the condition.
C. Create a VPC endpoint for Amazon SNS.
D. Add a StringEquals condition of "sns:Protocol": "https" to the Lambda execution role.
E. Add a Deny statement to the Lambda execution role. Specify the SNS topic ARN as the resource. Specify "aws:SecureTransport": "false" as the condition.

Show Suggested Answer

Suggested Answer: AE 🗳️

by Chhotu_DBA at Sept. 1, 2022, 1:05 a.m.

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Submit Cancel

Vinafec

Highly Voted 2 years, 9 months ago

Selected Answer: AE

A: force encryption on rest E: deny all that are not encrypted in transit

upvoted 14 times

dimon_millioner

1 year, 8 months ago

Deny Statement : { "Effect": "Deny", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::my-bucket/*" }

upvoted 1 times

...

nmc12

Most Recent 1 year, 7 months ago

Selected Answer: AE

IF aws:SecureTransport": "false" -> will be denied. example is below: { "Id": "ExamplePolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSSLRequestsOnly", "Action": "s3:*", "Effect": "Deny", "Resource": [ "arn:aws:SNS:::＜バケット名＞", ], "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Principal": "*" } ] }

upvoted 1 times

...

YanisGTR

1 year, 9 months ago

A: force encryption on rest D: This make sure all encryption in transit

upvoted 1 times

...

AswinDe

1 year, 10 months ago

AB B is correct as per above Effect=Allow, so "Condition": { "Bool": { "aws:SecureTransport": "true" } },

upvoted 1 times

...

rcaliandro

1 year, 11 months ago

Selected Answer: AE

I don't understand why do we also need server-side encryption. If data is encrypted in transit then should be encrypted at Rest, shouldn't be? BTW agree AE by exclusion

upvoted 1 times

...

GARGMOH

2 years, 3 months ago

Selected Answer: AE

A and E

upvoted 1 times

...

pancman

2 years, 3 months ago

This question was on the exam today (Feb 2023)

upvoted 2 times

...

sichilam

2 years, 4 months ago

A and E

upvoted 1 times

...

hamimelon

2 years, 6 months ago

Why is D wrong? My problem with E is that Lambda is publishing to SNS, not triggered by SNS, so Lambda doesn't care whether SNS has encryption at-rest or not.

upvoted 2 times

...