Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Security – Specialty Section-Based – Data Protection (Security) potential issue

  • Section-Based – Data Protection (Security) potential issue

     Irene-TutorialsDojo updated 4 days, 21 hours ago 2 Members · 2 Posts
    AWS Certified Security – Specialty

  • chris-4

    Member
    May 8, 2025 at 12:25 am

    There is a question with this content:

    A hospital has an on-premises application that stores medical prescriptions and health information about their patients. There is a requirement to move all of the medical records to AWS and perform data analytics for reporting. A Security Officer must implement an architecture that ensures the records are encrypted both in transit and at rest.
    Which is the MOST suitable setup that would meet the data protection requirements on AWS?


    One of the potential answers is this:

    Move the medical records using Amazon Kinesis Data Streams with Kinesis Client Library (KCL) consumers that store the records in an Amazon S3 bucket with SSE-KMS encryption. Perform data analytics using Amazon Athena. By default, all data in transit are encrypted in Firehose and Amazon Athena using Transport Layer Security (TLS) encryption.

    The answer is incorrect but I think the review content is also wrong because it says this:

    The option that says: Move the medical records using Amazon Kinesis Data Streams with Kinesis Client Library(KCL) consumers that store the records in an Amazon S3 bucket with SSE-KMS encryption. Perform data analytics using Amazon Athena. By default, all data in transit are encrypted in Firehose and Amazon Athena using Transport Layer Security (TLS) encryption is incorrect because all data in transit are not automatically encrypted by default in Amazon Data Firehose. It is true that Amazon Athena uses Transport Layer Security (TLS) encryption for data-in-transit between Athena and Amazon S3, and between Athena and customer applications accessing it, but this is not true for Amazon Data Firehose.

    I think that is incorrect now? According to https://docs.aws.amazon.com/firehose/latest/dev/encryption.html the page clearly states “Amazon Data Firehose encrypts all data in transit using TLS protocol”

  • Irene-TutorialsDojo

    Administrator
    May 14, 2025 at 12:44 pm

    Hello chris-4,

    Thank you for reaching out!

    You are correct, and I appreciate your attention to detail. Upon reviewing the current AWS documentation, Amazon Data Firehose does indeed encrypt all data in transit using TLS by default. This ensures that the data is securely transmitted between sources and destinations, including Amazon S3.

    The review content stating that Data Firehose does not automatically encrypt data in transit was inaccurate. The correct setup, as described in the option you mentioned—using Amazon Kinesis Data Streams with Kinesis Client Library (KCL) consumers, storing records in an S3 bucket with SSE-KMS encryption, and performing analytics with Amazon Athena—is a valid and secure architecture that meets the requirement for data encryption both at rest and in transit.

    We have now updated the question and reviewed the content to reflect this correction to the portal, and we thank you for pointing that out.

    Feel free to reach out if you have any further questions or need clarification.

    Best,

    Irene @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now
Skip to content