AWS Certified Security – Specialty — Question 263

A company's application team needs to host a MySQL database on AWS. According to the company's security policy, all data that is stored on AWS must be encrypted at rest. In addition, all cryptographic material must be compliant with FIPS 140-2 Level 3 validation.
The application team needs a solution that satisfies the company's security requirements and minimizes operational overhead.
Which solution will meet these requirements?

Answer options

• A. Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an AWS Key Management Service (AWS KMS) custom key store that is backed by AWS CloudHSM for key management.
• B. Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an AWS managed CMK in AWS Key Management Service (AWS KMS) for key management.
• C. Host the database on an Amazon EC2 instance. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use a customer managed CMK in AWS Key Management Service (AWS KMS) for key management.
• D. Host the database on an Amazon EC2 instance. Use Transparent Data Encryption (TDE) for encryption and key management.

Correct answer: A

Explanation

Option A is correct because it uses Amazon RDS with EBS for encryption and a custom key management solution that meets FIPS 140-2 Level 3 compliance. Other options either do not meet the compliance requirements (B and D) or involve more operational overhead (C) by using EC2 instead of the fully managed RDS service.