AWS Certified Solutions Architect – Associate (SAA-C02) — Question 727

A company is building an ecommerce application and needs to store sensitive customer information. The company needs to give customers the ability to complete purchase transactions on the website. The company also needs to ensure that sensitive customer data is protected, even from database administrators.
Which solution meets these requirements?

Answer options

• A. Store sensitive data in an Amazon Elastic Block Store (Amazon EBS) volume. Use EBS encryption to encrypt the data. Use an IAM instance role to restrict access.
• B. Store sensitive data in Amazon RDS for MySQL. Use AWS Key Management Service (AWS KMS) client-side encryption to encrypt the data.
• C. Store sensitive data in Amazon S3. Use AWS Key Management Service (AWS KMS) server-side encryption to encrypt the data. Use S3 bucket policies to restrict access.
• D. Store sensitive data in Amazon FSx for Windows Server. Mount the file share on application servers. Use Windows file permissions to restrict access.

Correct answer: B

Explanation

Using AWS KMS client-side encryption allows the application to encrypt the sensitive customer data before it is sent to Amazon RDS for MySQL, ensuring that database administrators cannot view the plaintext data. Other options using server-side or storage-level encryption would allow users with administrative access to the underlying storage or database engine to potentially view the unencrypted data. Therefore, client-side encryption is the only mechanism that successfully hides the data from DBAs while still utilizing a relational database for transactional consistency.