AWS Certified Data Analytics – Specialty — Question 121

A banking company is currently using Amazon Redshift for sensitive data. An audit found that the current cluster is unencrypted. Compliance requires that a database with sensitive data must be encrypted using a hardware security module (HSM) with customer managed keys.
Which modifications are required in the cluster to ensure compliance?

Answer options

• A. Create a new HSM-encrypted Amazon Redshift cluster and migrate the data to the new cluster.
• B. Modify the DB parameter group with the appropriate encryption settings and then restart the cluster.
• C. Enable HSM encryption in Amazon Redshift using the command line.
• D. Modify the Amazon Redshift cluster from the console and enable encryption using the HSM option.

Correct answer: A

Explanation

The correct answer is A because creating a new HSM-encrypted cluster and migrating the data is the only way to ensure compliance with the requirement for customer-managed keys. The other options do not achieve the necessary encryption level or involve modifying existing configurations, which cannot meet the compliance requirements.