AWS Certified Solutions Architect – Associate (SAA-C03) — Question 294

A company is planning to store data on Amazon RDS DB instances. The company must encrypt the data at rest.

What should a solutions architect do to meet this requirement?

Answer options

• A. Create a key in AWS Key Management Service (AWS KMS). Enable encryption for the DB instances.
• B. Create an encryption key. Store the key in AWS Secrets Manager. Use the key to encrypt the DB instances.
• C. Generate a certificate in AWS Certificate Manager (ACM). Enable SSL/TLS on the DB instances by using the certificate.
• D. Generate a certificate in AWS Identity and Access Management (IAM). Enable SSL/TLS on the DB instances by using the certificate.

Correct answer: A

Explanation

Amazon RDS uses AWS Key Management Service (AWS KMS) to manage encryption keys for encrypting data at rest. AWS Secrets Manager is designed for storing secrets such as passwords and API keys, not for encrypting database volumes. SSL/TLS certificates from ACM or IAM are used to secure data in transit, which does not address the requirement for encryption at rest.