AWS Certified Solutions Architect – Associate (SAA-C03) — Question 254

A company is building a new web-based customer relationship management application. The application will use several Amazon EC2 instances that are backed by Amazon Elastic Block Store (Amazon EBS) volumes behind an Application Load Balancer (ALB). The application will also use an Amazon Aurora database. All data for the application must be encrypted at rest and in transit.

Which solution will meet these requirements?

Answer options

• A. Use AWS Key Management Service (AWS KMS) certificates on the ALB to encrypt data in transit. Use AWS Certificate Manager (ACM) to encrypt the EBS volumes and Aurora database storage at rest.
• B. Use the AWS root account to log in to the AWS Management Console. Upload the company’s encryption certificates. While in the root account, select the option to turn on encryption for all data at rest and in transit for the account.
• C. Use AWS Key Management Service (AWS KMS) to encrypt the EBS volumes and Aurora database storage at rest. Attach an AWS Certificate Manager (ACM) certificate to the ALB to encrypt data in transit.
• D. Use BitLocker to encrypt all data at rest. Import the company’s TLS certificate keys to AWS Key Management Service (AWS KMS) Attach the KMS keys to the ALB to encrypt data in transit.

Correct answer: C

Explanation

The correct answer is C because it specifies using AWS Key Management Service (AWS KMS) to encrypt EBS volumes and Aurora database storage at rest, while also attaching an AWS Certificate Manager (ACM) certificate to the ALB for encrypting data in transit. Option A incorrectly suggests using ACM for EBS volume encryption, which is not supported. Option B does not utilize AWS KMS for encryption and relies on the root account, which is not a best practice. Option D incorrectly suggests using BitLocker, which is not relevant to AWS services.