AWS Certified Solutions Architect – Associate (SAA-C02) — Question 763

To meet security requirements, a company needs to encrypt all of its application data in transit while communicating with an Amazon RDS MySQL DB instance. A recent security audit revealed that encryption at rest is enabled using AWS Key Management Service (AWS KMS), but data in transit is not enabled.
What should a solutions architect do to satisfy the security requirements?

Answer options

• A. Enable IAM database authentication on the database.
• B. Provide self-signed certificates. Use the certificates in all connections to the RDS instance.
• C. Take a snapshot of the RDS instance. Restore the snapshot to a new instance with encryption enabled.
• D. Download AWS-provided root certificates. Provide the certificates in all connections to the RDS instance.

Correct answer: D

Explanation

To secure data in transit to an Amazon RDS MySQL DB instance, applications must establish SSL/TLS connections using the public root certificates provided by AWS. Option C addresses encryption at rest, which is already configured, while Option A manages authentication rather than transport-layer encryption. Option B is incorrect because Amazon RDS manages its own certificates and does not support customer-provided self-signed certificates for DB instances.