AWS Certified Developer – Associate (DVA-C02) — Question 284

A company is building a compute-intensive application that will run on a fleet of Amazon EC2 instances. The application uses attached Amazon Elastic Block Store (Amazon EBS) volumes for storing data. The Amazon EBS volumes will be created at time of initial deployment. The application will process sensitive information. All of the data must be encrypted. The solution should not impact the application's performance.

Which solution will meet these requirements?

Answer options

• A. Configure the fleet of EC2 instances to use encrypted EBS volumes to store data.
• B. Configure the application to write all data to an encrypted Amazon S3 bucket.
• C. Configure a custom encryption algorithm for the application that will encrypt and decrypt all data.
• D. Configure an Amazon Machine Image (AMI) that has an encrypted root volume and store the data to ephemeral disks.

Correct answer: A

Explanation

Amazon EBS encryption is performed on the EC2 host instances using specialized hardware optimization (AES-NI), which ensures secure data-at-rest encryption with minimal to no latency or CPU overhead. Using custom application-level encryption or routing all block storage traffic to Amazon S3 would introduce significant performance penalties. Ephemeral disks are not suitable for persistent data storage and do not satisfy the requirement as easily as native EBS encryption.