Answer: Create a key in AWS Key Management Service (AWS KMS). Enable encryption for the DB instances.

# Explanation **Correct Answer: A** Amazon RDS provides encryption at rest using AWS Key Management Service (AWS KMS). Here's why option A is correct: 1. **AWS KMS Integration**: Amazon RDS integrates directly with AWS KMS to manage encryption keys for data at rest. 2. **Encryption at Rest**: When you enable encryption for an RDS DB instance, AWS uses AWS KMS keys to encrypt: - The underlying storage - Automated backups - Read replicas - Snapshots 3. **How it works**: - Create or use an existing AWS KMS key - Enable encryption during DB instance creation - AWS handles the encryption/decryption transparently **Why other options are incorrect**: **Option B**: AWS Secrets Manager is for storing secrets (like database passwords), not for encryption keys for data at rest. Secrets Manager itself uses KMS for encryption. **Option C**: AWS Certificate Manager (ACM) is for SSL/TLS certificates to encrypt data in transit, not data at rest. SSL/TLS protects data between clients and the database, not the stored data. **Option D**: IAM doesn't generate certificates for encryption. IAM is for authentication and authorization, not for cryptographic operations. **Key Points**: - **Data at rest encryption** = AWS KMS + RDS encryption - **Data in transit encryption** = SSL/TLS certificates (from ACM or self-signed) - RDS encryption must be enabled at creation time and cannot be disabled later - The encryption covers all underlying storage, backups, and snapshots

Author: LeetQuiz Editorial Team