AWS Certified Solutions Architect – Associate (SAA-C02) — Question 411

A company has a customer relationship management (CRM) application that stores data in an Amazon RDS DB instance that runs Microsoft SQL Server. The company's IT staff has administrative access to the database. The database contains sensitive data. The company wants to ensure that the data is not accessible to the IT staff and that only authorized personnel can view the data.
What should a solutions architect do to secure the data?

Answer options

• A. Use client-side encryption with an Amazon RDS managed key.
• B. Use client-side encryption with an AWS Key Management Service (AWS KMS) customer managed key.
• C. Use Amazon RDS encryption with an AWS Key Management Service (AWS KMS) default encryption key.
• D. Use Amazon RDS encryption with an AWS Key Management Service (AWS KMS) customer managed key.

Correct answer: D

Explanation

Enabling Amazon RDS encryption with an AWS KMS customer managed key allows the organization to establish strict key policies that limit decryption permissions only to authorized personnel, preventing IT administrators from accessing the underlying data. Default AWS KMS keys do not allow this level of granular policy customization, making customer managed keys the correct choice for restricting administrative access.