Question 15 - AWS SAP-C02 Real Exam Questions [Feb 2026 Update]

Q: 15

A company needs to use an AWS Transfer Family SFTP-enabled server with an Amazon S3 bucket to receive updates from a third-party data supplier. The data is encrypted with Pretty Good Privacy (PGP) encryption The company needs a solution that will automatically decrypt the data after the company receives the data A solutions architect will use a Transfer Family managed workflow The company has created an 1AM service role by using an 1AM policy that allows access to AWS Secrets Manager and the S3 bucket The role's trust relationship allows the transfer amazonaws com service to assume the rote What should the solutions architect do next to complete the solution for automatic decryption'?

Options

Correct Answer:

Explanation

To automatically decrypt PGP-encrypted files upon upload, the AWS Transfer Family managed workflow requires the corresponding PGP private key. This sensitive key must be stored securely in AWS Secrets Manager. The decryption process is a standard, successful operation within the data pipeline, and therefore must be configured as a "nominal step" in the workflow. An exception-handling step is reserved for error conditions. This nominal step is then configured with the necessary PGP decryption parameters, referencing the private key stored in Secrets Manager. Finally, associating the workflow with the Transfer Family server ensures it is automatically triggered for every file successfully uploaded.

Why Incorrect

A. Decryption requires the private key, not the public key. The step must also be configured for decryption, not encryption.

B. Decryption is a standard operation (nominal step), not an error condition (exception-handling step), and the step must be configured for decryption.

D. This option is incorrect because it uses the wrong key (public instead of private) and the wrong step type (exception-handling instead of nominal).

References

1. AWS Transfer Family User Guide

"Create a workflow to decrypt files": This guide outlines the exact procedure. Step 1 explicitly states

"Store your PGP private key in AWS Secrets Manager." Step 3 details creating a workflow with a decryption step

which is a nominal (standard) step. Step 4 describes associating the workflow with the server. (See section: Managed workflows > Example workflows and steps > Create a workflow to decrypt files).

2. AWS Transfer Family User Guide

"Workflow steps for AWS Transfer Family": This document describes the available workflow steps. The "Decrypt file" step is listed as a primary action. It specifies

"For PGP decryption

you must provide a private key and an optional passphrase that are stored in AWS Secrets Manager." This confirms the need for the private key and its storage location. (See section: Managed workflows > Workflow steps for AWS Transfer Family > Decrypt file).

3. AWS Transfer Family User Guide

"Getting started with AWS Transfer Family workflows": This page illustrates the workflow structure

showing that nominal steps handle the primary execution path

while exception-handling steps are for processing failures. Decryption is part of the primary path. (See section: Managed workflows > Getting started with AWS Transfer Family workflows).

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE