AWS Certified Security – Specialty (SCS-C03) — Question 21

A company has a compliance requirement to encrypt all data in transit. The company recently discovered an Amazon Aurora cluster that does not meet this requirement.
How can the company enforce encryption for all connections to the Aurora cluster?

Answer options

• A. In the Aurora cluster configuration, set the require_secure_transport DB cluster parameter to ON.
• B. Use AWS Directory Service for Microsoft Active Directory to create a user directory and to enforce Kerberos authentication with Aurora.
• C. Configure the Aurora cluster to use AWS Certificate Manager (ACM) to provide encryption certificates.
• D. Create an Amazon RDS proxy. Connect the proxy to the Aurora cluster to enable encryption.

Correct answer: A

Explanation

The correct answer is A because setting the require_secure_transport DB cluster parameter to ON ensures that all connections to the Aurora cluster are encrypted. Options B and C do not specifically enforce encryption for all connections, while D does not address the requirement directly as creating an RDS proxy does not guarantee encryption on its own.