AWS Certified Solutions Architect – Associate (SAA-C03) — Question 933

A financial services company plans to launch a new application on AWS to handle sensitive financial transactions. The company will deploy the application on Amazon EC2 instances. The company will use Amazon RDS for MySQL as the database. The company’s security policies mandate that data must be encrypted at rest and in transit.

Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Configure encryption at rest for Amazon RDS for MySQL by using AWS KMS managed keys. Configure AWS Certificate Manager (ACM) SSL/TLS certificates for encryption in transit.
• B. Configure encryption at rest for Amazon RDS for MySQL by using AWS KMS managed keys. Configure IPsec tunnels for encryption in transit.
• C. Implement third-party application-level data encryption before storing data in Amazon RDS for MySQL. Configure AWS Certificate Manager (ACM) SSL/TLS certificates for encryption in transit.
• D. Configure encryption at rest for Amazon RDS for MySQL by using AWS KMS managed keys. Configure a VPN connection to enable private connectivity to encrypt data in transit.

Correct answer: A

Explanation

Using AWS KMS for encrypting Amazon RDS at rest is a native, fully-managed feature that requires minimal configuration. Similarly, using AWS Certificate Manager (ACM) to handle SSL/TLS certificates for in-transit encryption offers a seamless, low-overhead solution compared to setting up VPNs or IPsec tunnels. Third-party application-level encryption (Option C) and complex network tunnels (Options B and D) add unnecessary operational complexity and maintenance overhead.