AWS Certified Solutions Architect – Associate (SAA-C02) — Question 731

A company is planning to store data on Amazon RDS DB instances. The company must encrypt the data at rest.
What should a solutions architect do to meet this requirement?

Answer options

• A. Create an encryption key, and store the key in AWS Secrets Manager. Use the key to encrypt the DB instances.
• B. Generate a certificate in AWS Certificate Manager (ACM). Enable SSL/TLS on the DB instances by using the certificate.
• C. Create a customer master key (CMK) in AWS Key Management Service (AWS KMS). Enable encryption for the DB instances.
• D. Generate a certificate in AWS Identity and Access Management (IAM). Enable SSL/TLS on the DB instances by using the certificate.

Correct answer: C

Explanation

To achieve encryption at rest for Amazon RDS DB instances, you must enable encryption using an AWS Key Management Service (AWS KMS) customer master key (CMK). AWS Secrets Manager is designed for storing secrets and credentials rather than managing database encryption keys. SSL/TLS certificates (whether from ACM or IAM) are used to secure data in transit, not data at rest.