AWS Certified Database – Specialty — Question 131

A financial services company uses Amazon RDS for Oracle with Transparent Data Encryption (TDE). The company is required to encrypt its data at rest at all times. The key required to decrypt the data has to be highly available, and access to the key must be limited. As a regulatory requirement, the company must have the ability to rotate the encryption key on demand. The company must be able to make the key unusable if any potential security breaches are spotted. The company also needs to accomplish these tasks with minimum overhead.
What should the database administrator use to set up the encryption to meet these requirements?

Answer options

• A. AWS CloudHSM
• B. AWS Key Management Service (AWS KMS) with an AWS managed key
• C. AWS Key Management Service (AWS KMS) with server-side encryption
• D. AWS Key Management Service (AWS KMS) CMK with customer-provided material

Correct answer: D

Explanation

The correct answer is D, as using AWS KMS CMK with customer-provided material allows for the necessary control and flexibility over the encryption keys, including on-demand rotation and invalidation in case of security incidents. Options A and B do not provide the same level of control over key management, while option C does not specifically address the requirement for customer-provided materials.