AWS Certified Solutions Architect – Associate (SAA-C02) — Question 664

A company has a customer relationship management (CRM) application that stores data in an Amazon RDS DB instance that runs Microsoft SQL Server. The company's IT staff has administrative access to the database. The database contains sensitive data. The company wants to ensure that the data is not accessible to the IT staff and that only authorized personnel can view the data.
What should a solutions architect do to secure the data?

Answer options

• A. Use client-side encryption with an Amazon RDS managed key.
• B. Use client-side encryption with an AWS Key Management Service (AWS KMS) customer managed key.
• C. Use Amazon RDS encryption with an AWS Key Management Service (AWS KMS) default encryption key.
• D. Use AWS Secrets Manager to manage database users. Encrypt secrets with an AWS Key Management Service (AWS KMS) customer managed key. Enable RDS encryption.

Correct answer: D

Explanation

Using AWS Secrets Manager combined with an AWS KMS customer managed key allows the organization to define granular key policies that restrict IT administrators from accessing the credentials or decrypting the data. Enabling RDS encryption ensures that the data is encrypted at rest. Other options using default keys or basic client-side encryption do not provide the necessary access control policies to prevent database administrators from accessing the sensitive data.