Answer-first summary for fast verification
Answer: Use AWS Key Management Service (AWS KMS) to encrypt the EBS volumes and Aurora database storage at rest. Attach an AWS Certificate Manager (ACM) certificate to the ALB to encrypt data in transit.
## Explanation **Correct Answer: C** This solution correctly addresses both encryption requirements: ### **Encryption at Rest:** - **AWS KMS** is the proper service for encrypting data at rest for AWS services. - EBS volumes can be encrypted using KMS-managed keys. - Amazon Aurora databases can be encrypted at rest using KMS keys. ### **Encryption in Transit:** - **AWS Certificate Manager (ACM)** is the correct service for managing SSL/TLS certificates for encrypting data in transit. - ACM certificates can be attached to Application Load Balancers (ALB) to enable HTTPS encryption. ### **Why Other Options Are Incorrect:** **A:** Incorrect because: - AWS KMS is not used for certificates on ALBs (that's ACM's role) - ACM is not used for encrypting EBS volumes or Aurora storage at rest (that's KMS's role) **B:** Incorrect because: - There's no single option in AWS Console to "turn on encryption for all data at rest and in transit for the account" - Using the root account for operational tasks violates AWS security best practices - Encryption must be configured per service, not globally **D:** Incorrect because: - BitLocker is a Windows-specific encryption tool, not an AWS-native solution - KMS keys are not attached directly to ALBs for SSL/TLS encryption (ACM certificates are used) - Importing TLS certificate keys to KMS is not the standard approach for ALB encryption ### **Key AWS Services:** 1. **AWS KMS (Key Management Service)** - For encryption at rest 2. **ACM (AWS Certificate Manager)** - For SSL/TLS certificates for encryption in transit This solution follows AWS best practices and uses the appropriate services for each encryption requirement.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company is building a new web-based customer relationship management application. The application will use several Amazon EC2 instances that are backed by Amazon Elastic Block Store (Amazon EBS) volumes behind an Application Load Balancer (ALB). The application will also use an Amazon Aurora database. All data for the application must be encrypted at rest and in transit.
Which solution will meet these requirements?
A
Use AWS Key Management Service (AWS KMS) certificates on the ALB to encrypt data in transit. Use AWS Certificate Manager (ACM) to encrypt the EBS volumes and Aurora database storage at rest.
B
Use the AWS root account to log in to the AWS Management Console. Upload the company's encryption certificates. While in the root account, select the option to turn on encryption for all data at rest and in transit for the account.
C
Use AWS Key Management Service (AWS KMS) to encrypt the EBS volumes and Aurora database storage at rest. Attach an AWS Certificate Manager (ACM) certificate to the ALB to encrypt data in transit.
D
Use BitLocker to encrypt all data at rest. Import the company’s TLS certificate keys to AWS Key Management Service (AWS KMS) Attach the KMS keys to the ALB to encrypt data in transit.