AWS Certified Solutions Architect – Associate (SAA-C03) — Question 557

A company is building an ecommerce application and needs to store sensitive customer information. The company needs to give customers the ability to complete purchase transactions on the website. The company also needs to ensure that sensitive customer data is protected, even from database administrators.

Which solution meets these requirements?

Answer options

• A. Store sensitive data in an Amazon Elastic Block Store (Amazon EBS) volume. Use EBS encryption to encrypt the data. Use an IAM instance role to restrict access.
• B. Store sensitive data in Amazon RDS for MySQL. Use AWS Key Management Service (AWS KMS) client-side encryption to encrypt the data.
• C. Store sensitive data in Amazon S3. Use AWS Key Management Service (AWS KMS) server-side encryption to encrypt the data. Use S3 bucket policies to restrict access.
• D. Store sensitive data in Amazon FSx for Windows Server. Mount the file share on application servers. Use Windows file permissions to restrict access.

Correct answer: B

Explanation

Using AWS KMS client-side encryption ensures that sensitive customer data is encrypted on the application side before being sent to Amazon RDS for MySQL. Because the decryption keys are restricted to the application tier, database administrators (DBAs) with access to the database engine cannot view the plaintext data. Other options using server-side or storage-level encryption do not prevent administrators of those systems from accessing the decrypted data.