AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company is planning to store data on Amazon RDS DB instances. The company must encrypt the data at rest. What should a solutions architect do to meet this requirement?
Other
Community
UAnonymous
A
Create a key in AWS Key Management Service (AWS KMS). Enable encryption for the DB instances.
B
Create an encryption key. Store the key in AWS Secrets Manager. Use the key to encrypt the DB instances.
C
Generate a certificate in AWS Certificate Manager (ACM). Enable SSL/TLS on the DB instances by using the certificate.
D
Generate a certificate in AWS Identity and Access Management (IAM). Enable SSL/TLS on the DB instances by using the certificate.
Explanation:
Explanation
Correct Answer: A
Amazon RDS provides encryption at rest using AWS Key Management Service (AWS KMS). Here's why option A is correct:
-
AWS KMS Integration: Amazon RDS integrates directly with AWS KMS to manage encryption keys for data at rest.
-
Encryption at Rest: When you enable encryption for an RDS DB instance, AWS uses AWS KMS keys to encrypt:
- The underlying storage
- Automated backups
- Read replicas
- Snapshots
-
How it works:
- Create or use an existing AWS KMS key
- Enable encryption during DB instance creation
- AWS handles the encryption/decryption transparently
Why other options are incorrect:
Option B: AWS Secrets Manager is for storing secrets (like database passwords), not for encryption keys for data at rest. Secrets Manager itself uses KMS for encryption.
Option C: AWS Certificate Manager (ACM) is for SSL/TLS certificates to encrypt data in transit, not data at rest. SSL/TLS protects data between clients and the database, not the stored data.
Option D: IAM doesn't generate certificates for encryption. IAM is for authentication and authorization, not for cryptographic operations.
Key Points:
- Data at rest encryption = AWS KMS + RDS encryption
- Data in transit encryption = SSL/TLS certificates (from ACM or self-signed)
- RDS encryption must be enabled at creation time and cannot be disabled later
- The encryption covers all underlying storage, backups, and snapshots
Comments
Loading comments...