AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company is building a new web-based customer relationship management application. The application will use several Amazon EC2 instances that are backed by Amazon Elastic Block Store (Amazon EBS) volumes behind an Application Load Balancer (ALB). The application will also use an Amazon Aurora database. All data for the application must be encrypted at rest and in transit.

Which solution will meet these requirements?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Use AWS Key Management Service (AWS KMS) certificates on the ALB to encrypt data in transit. Use AWS Certificate Manager (ACM) to encrypt the EBS volumes and Aurora database storage at rest.

Use the AWS root account to log in to the AWS Management Console. Upload the company's encryption certificates. While in the root account, select the option to turn on encryption for all data at rest and in transit for the account.

Use AWS Key Management Service (AWS KMS) to encrypt the EBS volumes and Aurora database storage at rest. Attach an AWS Certificate Manager (ACM) certificate to the ALB to encrypt data in transit.

Use BitLocker to encrypt all data at rest. Import the company’s TLS certificate keys to AWS Key Management Service (AWS KMS) Attach the KMS keys to the ALB to encrypt data in transit.

Explanation:

Explanation

Correct Answer: C

This solution correctly addresses both encryption requirements:

Encryption at Rest:

AWS KMS is the proper service for encrypting data at rest for AWS services.
EBS volumes can be encrypted using KMS-managed keys.
Amazon Aurora databases can be encrypted at rest using KMS keys.

Encryption in Transit:

AWS Certificate Manager (ACM) is the correct service for managing SSL/TLS certificates for encrypting data in transit.
ACM certificates can be attached to Application Load Balancers (ALB) to enable HTTPS encryption.

Why Other Options Are Incorrect:

A: Incorrect because:

AWS KMS is not used for certificates on ALBs (that's ACM's role)
ACM is not used for encrypting EBS volumes or Aurora storage at rest (that's KMS's role)

B: Incorrect because:

There's no single option in AWS Console to "turn on encryption for all data at rest and in transit for the account"
Using the root account for operational tasks violates AWS security best practices
Encryption must be configured per service, not globally

D: Incorrect because:

BitLocker is a Windows-specific encryption tool, not an AWS-native solution
KMS keys are not attached directly to ALBs for SSL/TLS encryption (ACM certificates are used)
Importing TLS certificate keys to KMS is not the standard approach for ALB encryption

Key AWS Services:

AWS KMS (Key Management Service) - For encryption at rest
ACM (AWS Certificate Manager) - For SSL/TLS certificates for encryption in transit

This solution follows AWS best practices and uses the appropriate services for each encryption requirement.

Powered ByGPT-5.2

Comments

Loading comments...