AWS Certified SysOps Administrator – Associate — Question 122

A company needs to deploy a new workload on AWS. The company must encrypt all data at rest and must rotate the encryption keys once each year. The workload uses an Amazon RDS for MySQL Multi-AZ database for data storage.

Which configuration approach will meet these requirements?

Answer options

• A. Enable Transparent Data Encryption (TDE) in the MySQL configuration file. Manually rotate the key every 12 months.
• B. Enable RDS encryption on the database at creation time by using the AWS managed key for Amazon RDS.
• C. Create a new AWS Key Management Service (AWS KMS) customer managed key. Enable automatic key rotation. Enable RDS encryption on the database at creation time by using the KMS key.
• D. Create a new AWS Key Management Service (AWS KMS) customer managed key. Enable automatic key rotation. Enable encryption on the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the RDS DB instance.

Correct answer: C

Explanation

Option C is correct because it involves creating a customer managed key in AWS KMS with automatic key rotation, which meets the requirement for annual key rotation, and it enables RDS encryption at creation time, ensuring data at rest is encrypted. Option A does not automate the key rotation, and option B does not allow for annual key rotation since it relies on the AWS managed key. Option D focuses on EBS volumes, which does not directly apply to the RDS database encryption requirement.