A company runs a highly sensitive application on Amazon EC2 backed by an Amazon RDS database. Compliance requires that all personally identifiable information (PII) be encrypted at rest. Which solution should a solutions architect recommend to meet this requirement with the LEAST infrastructure changes?
Choose an answer
Tap an option to check your answer.
Correct answer: Configure Amazon Elastic Block Store (Amazon EBS) encryption and Amazon RDS encryption with AWS Key Management Service (AWS KMS) keys to encrypt instance and database volumes..
Why this is the answer
The correct solution is to configure Amazon EBS encryption and Amazon RDS encryption with AWS KMS keys. This directly addresses the requirement for encrypting PII at rest with minimal infrastructure changes. Amazon RDS offers native encryption using KMS keys for database instances and snapshots, and EBS encryption secures the underlying volumes for EC2 instances. This approach leverages existing AWS services seamlessly. Deploying AWS Certificate Manager (ACM) for database volume encryption is incorrect because ACM manages SSL/TLS certificates for securing network communication, not for encrypting data at rest on volumes. Deploying AWS CloudHSM would provide hardware-based key storage but is an over-engineered solution for this requirement and involves significant infrastructure changes and cost compared to KMS. Configuring SSL encryption using KMS keys is incorrect because SSL encrypts data in transit, not data at rest, and KMS keys are used for data encryption, not directly for SSL certificate management.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed