Learn the most efficient and secure approach to encrypt data at rest and in transit for an Amazon RDS for MySQL database while minimizing operational overhead. Discover how to leverage AWS KMS and ACM to ensure data protection for your sensitive financial application. Prepare for the AWS Certified Solutions Architect Associate certification exam.
Table of Contents
Question
A financial services company plans to launch a new application on AWS to handle sensitive financial transactions. The company will deploy the application on Amazon EC2 instances. The company will use Amazon RDS for MySQL as the database. The company’s security policies mandate that data must be encrypted at rest and in transit.
Which solution will meet these requirements with the LEAST operational overhead?
A. Configure encryption at rest for Amazon RDS for MySQL by using AWS KMS managed keys. Configure AWS Certificate Manager (ACM) SSL/TLS certificates for encryption in transit.
B. Configure encryption at rest for Amazon RDS for MySQL by using AWS KMS managed keys. Configure IPsec tunnels for encryption in transit.
C. Implement third-party application-level data encryption before storing data in Amazon RDS for MySQL. Configure AWS Certificate Manager (ACM) SSL/TLS certificates for encryption in transit.
D. Configure encryption at rest for Amazon RDS for MySQL by using AWS KMS managed keys. Configure a VPN connection to enable private connectivity to encrypt data in transit.
Answer
A. Configure encryption at rest for Amazon RDS for MySQL by using AWS KMS managed keys. Configure AWS Certificate Manager (ACM) SSL/TLS certificates for encryption in transit.
Explanation
To meet the security requirements of encrypting data at rest and in transit with the least operational overhead, the financial services company should:
- Use AWS Key Management Service (KMS) to enable encryption at rest for the Amazon RDS for MySQL database. AWS KMS is a managed service that makes it easy to create and control keys used for encryption. It reduces operational overhead by handling key management tasks such as key creation, rotation, and secure storage.
- Leverage AWS Certificate Manager (ACM) to provision, manage, and deploy public and private SSL/TLS certificates for encrypting data in transit. ACM simplifies certificate management by handling tasks such as certificate request, renewal, and deployment, minimizing operational overhead.
Options B and D suggest using IPsec tunnels or a VPN connection for encrypting data in transit. While these solutions provide encryption, they introduce additional operational complexity compared to using ACM SSL/TLS certificates.
Option C proposes implementing third-party application-level encryption before storing data in Amazon RDS. This approach adds unnecessary complexity and operational overhead, as RDS supports native encryption at rest using KMS.
Therefore, the combination of AWS KMS for encryption at rest and ACM SSL/TLS certificates for encryption in transit offers the most secure and operationally efficient solution for the financial services company’s requirements.
Amazon AWS Certified Solutions Architect – Associate SAA-C03 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Associate SAA-C03 exam and earn Amazon AWS Certified Solutions Architect – Associate SAA-C03 certification.