To automatically decrypt PGP-encrypted files upon upload, the AWS Transfer Family managed workflow requires the corresponding PGP private key. This sensitive key must be stored securely in AWS Secrets Manager. The decryption process is a standard, successful operation within the data pipeline, and therefore must be configured as a "nominal step" in the workflow. An exception-handling step is reserved for error conditions. This nominal step is then configured with the necessary PGP decryption parameters, referencing the private key stored in Secrets Manager. Finally, associating the workflow with the Transfer Family server ensures it is automatically triggered for every file successfully uploaded.

A. Decryption requires the private key, not the public key. The step must also be configured for decryption, not encryption.

B. Decryption is a standard operation (nominal step), not an error condition (exception-handling step), and the step must be configured for decryption.

D. This option is incorrect because it uses the wrong key (public instead of private) and the wrong step type (exception-handling instead of nominal).

1. AWS Transfer Family User Guide

"Create a workflow to decrypt files": This guide outlines the exact procedure. Step 1 explicitly states

"Store your PGP private key in AWS Secrets Manager." Step 3 details creating a workflow with a decryption step

which is a nominal (standard) step. Step 4 describes associating the workflow with the server. (See section: Managed workflows > Example workflows and steps > Create a workflow to decrypt files).

2. AWS Transfer Family User Guide

"Workflow steps for AWS Transfer Family": This document describes the available workflow steps. The "Decrypt file" step is listed as a primary action. It specifies

"For PGP decryption

you must provide a private key and an optional passphrase that are stored in AWS Secrets Manager." This confirms the need for the private key and its storage location. (See section: Managed workflows > Workflow steps for AWS Transfer Family > Decrypt file).

3. AWS Transfer Family User Guide

"Getting started with AWS Transfer Family workflows": This page illustrates the workflow structure

showing that nominal steps handle the primary execution path

while exception-handling steps are for processing failures. Decryption is part of the primary path. (See section: Managed workflows > Getting started with AWS Transfer Family workflows).