AWS Certified Solutions Architect – Associate (SAA-C03) — Question 702

To meet security requirements, a company needs to encrypt all of its application data in transit while communicating with an Amazon RDS MySQL DB instance. A recent security audit revealed that encryption at rest is enabled using AWS Key Management Service (AWS KMS), but data in transit is not enabled.

What should a solutions architect do to satisfy the security requirements?

Answer options

• A. Enable IAM database authentication on the database.
• B. Provide self-signed certificates. Use the certificates in all connections to the RDS instance.
• C. Take a snapshot of the RDS instance. Restore the snapshot to a new instance with encryption enabled.
• D. Download AWS-provided root certificates. Provide the certificates in all connections to the RDS instance.

Correct answer: D

Explanation

To encrypt data in transit when connecting to an Amazon RDS MySQL DB instance, the client application must use SSL/TLS, which requires utilizing the AWS-provided root certificates in the connection configuration. Using self-signed certificates is incorrect because AWS manages the certificates for RDS, and IAM database authentication manages access control rather than transport encryption itself. Restoring a snapshot is used for enabling encryption at rest, which is already configured, and does not establish SSL/TLS for transit.