A company plans to store data on Amazon RDS DB instances and must encrypt the data at rest. What should a solutions architect do to meet this requirement?
Choose an answer
Tap an option to check your answer.
Correct answer: Create a key in AWS Key Management Service (AWS KMS). Enable encryption for the DB instances..
Why this is the answer
To encrypt data at rest for Amazon RDS DB instances, the most straightforward and secure method is to enable encryption directly when creating or modifying the DB instance. This process leverages AWS Key Management Service (AWS KMS) for managing the encryption keys. When you enable encryption, RDS integrates with KMS to encrypt your data, backups, snapshots, and read replicas. The incorrect options are: Storing an encryption key in AWS Secrets Manager is not the standard or recommended way to encrypt RDS data at rest. Secrets Manager is primarily for managing credentials and other secrets, not for providing encryption keys for services like RDS. Generating a certificate in AWS Certificate Manager (ACM) or AWS Identity and Access Management (IAM) and enabling SSL/TLS encrypts data in transit (between the client and the database), not data at rest (on the storage volumes). The question specifically asks for encryption of data at rest.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed