AWS Certified Data Analytics – Specialty — Question 3

A banking company is currently using an Amazon Redshift cluster with dense storage (DS) nodes to store sensitive data. An audit found that the cluster is unencrypted. Compliance requirements state that a database with sensitive data must be encrypted through a hardware security module (HSM) with automated key rotation.
Which combination of steps is required to achieve compliance? (Choose two.)

Answer options

• A. Set up a trusted connection with HSM using a client and server certificate with automatic key rotation.
• B. Modify the cluster with an HSM encryption option and automatic key rotation.
• C. Create a new HSM-encrypted Amazon Redshift cluster and migrate the data to the new cluster.
• D. Enable HSM with key rotation through the AWS CLI.
• E. Enable Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) encryption in the HSM.

Correct answer: A, C

Explanation

Option A is correct because establishing a trusted connection with HSM and using automatic key rotation is essential for encryption compliance. Option C is also correct as creating a new HSM-encrypted cluster ensures that the sensitive data is stored securely. Options B, D, and E do not fully satisfy the requirement for compliance as they either propose incomplete solutions or are not directly related to the necessary steps.