To meet security requirements, a company needs to encrypt all application data in transit when communicating with an Amazon RDS MySQL DB instance. A recent audit showed encryption at rest is enabled with AWS KMS, but data in transit is not. What should a solutions architect do to satisfy the security requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Download AWS-provided root certificates and require all connections to the RDS instance to use those certificates..
Why this is the answer
To encrypt data in transit for an Amazon RDS MySQL DB instance, you must use SSL/TLS connections. AWS provides root certificates that clients can download and use to establish a secure, encrypted connection to the RDS instance. By requiring all client applications to use these certificates, you ensure that data exchanged between the client and the database is encrypted while in transit, satisfying the security requirement. Enabling IAM database authentication enhances security by managing database access through IAM roles and policies, but it doesn't inherently encrypt data in transit. Providing self-signed certificates is possible but adds operational overhead for certificate management and distribution, making AWS-provided certificates a more practical and secure option. Taking a snapshot and restoring it with encryption enabled only addresses encryption at rest, which the audit already confirmed was in place; it doesn't solve the in-transit encryption requirement.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed