A company has deployed a single-page application on AWS. The application stores assets in an Amazon S3 bucket. The application has an Amazon CloudFront distribution that is configured with the S3 bucket as the origin. Amazon API Gateway APIs access AWS Lambda functions that store information in an Amazon DynamoDB table. The application ingests a payload that includes 20 fields of sensitive data.
Which combination of steps should a developer take to protect the sensitive data through its entire lifecycle in AWS? (Choose two.)
A. Create a Lambda@Edge function to encrypt data when CloudFront processes a client request. Configure the distribution to invoke the Lambda@Edge function when the origin request event occurs.
B. Generate an AWS Key Management Service (AWS KMS) customer managed key that Lambda@Edge can use.
C. Create an SSL/TLS certificate in AWS Certificate Manager (ACM). Associate the certificate with the Network Load Balancer.
D. Set up a Network Load Balancer for API Gateway private integrations.
E. Store the data in the S3 bucket by using server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Transfer the encrypted data from the S3 bucket to the DynamoDB table.
Which combination of steps should a developer take to protect the sensitive data through its entire lifecycle in AWS? (Choose two.)
A. Create a Lambda@Edge function to encrypt data when CloudFront processes a client request. Configure the distribution to invoke the Lambda@Edge function when the origin request event occurs.
B. Generate an AWS Key Management Service (AWS KMS) customer managed key that Lambda@Edge can use.
C. Create an SSL/TLS certificate in AWS Certificate Manager (ACM). Associate the certificate with the Network Load Balancer.
D. Set up a Network Load Balancer for API Gateway private integrations.
E. Store the data in the S3 bucket by using server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Transfer the encrypted data from the S3 bucket to the DynamoDB table.