AWS Certified Solutions Architect – Associate (SAA-C02) — Question 721

A company is running a highly sensitive application on Amazon EC2 backed by an Amazon RDS database. Compliance regulations mandate that all personally identifiable information (PII) be encrypted at rest.
Which solution should a solutions architect recommend to meet this requirement with the LEAST amount of changes to the infrastructure?

Answer options

• A. Deploy AWS Certificate Manager to generate certificates. Use the certificates to encrypt the database volume.
• B. Deploy AWS CloudHSM, generate encryption keys, and use the keys to encrypt database volumes.
• C. Configure SSL encryption using AWS Key Management Service (AWS KMS) to encrypt database volumes.
• D. Configure Amazon Elastic Block Store (Amazon EBS) encryption and Amazon RDS encryption with AWS Key Management Service (AWS KMS) keys to encrypt instance and database volumes.

Correct answer: D

Explanation

Enabling native Amazon EBS encryption and Amazon RDS encryption using AWS Key Management Service (AWS KMS) keys provides a seamless, built-in way to achieve encryption at rest with minimal administrative effort. AWS Certificate Manager is designed for securing data in transit rather than at-rest volume encryption, and AWS CloudHSM would introduce unnecessary operational complexity compared to the managed KMS service.