AWS Certified Database – Specialty — Question 305

A company conducted a security audit of its AWS infrastructure. The audit identified that data was not encrypted in transit between application servers and a
MySQL database that is hosted in Amazon RDS.
After the audit, the company updated the application to use an encrypted connection. To prevent this problem from occurring again, the company's database team needs to configure the database to require in-transit encryption for all connections.
Which solution will meet this requirement?

Answer options

• A. Update the parameter group in use by the DB instance, and set the require_secure_transport parameter to ON.
• B. Connect to the database, and use ALTER USER to enable the REQUIRE SSL option on the database user.
• C. Update the security group in use by the DB instance, and remove port 80 to prevent unencrypted connections from being established.
• D. Update the DB instance, and enable the Require Transport Layer Security option.

Correct answer: A

Explanation

To enforce in-transit encryption for Amazon RDS MySQL, you must set the require_secure_transport parameter to ON in the DB instance's parameter group. Option B is incorrect because modifying individual users does not enforce global compliance as efficiently as parameter groups. Option C is incorrect because MySQL databases communicate over port 3306, not port 80, and Option D is incorrect because there is no direct 'Require Transport Layer Security' setting in the RDS instance modification console.