A developer is building an application that uses an Amazon RDS for PostgreSQL database. To meet security requirements, the developer needs to ensure that data is encrypted at rest. The developer must be able to rotate the encryption keys on demand.
A.
Use an AWS KMS managed encryption key to encrypt the database.
B.
Create a symmetric customer managed AWS KMS key. Use the key to encrypt the database.
C.
Create a 256-bit AES-GCM encryption key. Store the key in AWS Secrets Manager, and enable managed rotation. Use the key to encrypt the database.
D.
Create a 256-bit AES-GCM encryption key. Store the key in AWS Secrets Manager. Configure an AWS Lambda function to perform key rotation. Use the key to encrypt the database.
Why Option B is Correct:A customer-managed AWS Key Management Service (KMS) key allows for encryption at rest and provides the ability to rotate the key on demand. This ensures compliance with security requirements for key management and database encryption.
RDS integrates natively with AWS KMS, allowing the use of a customer-managed key for encrypting data at rest.
Key rotation can be managed directly in AWS KMS without needing custom solutions.
Why Other Options are Incorrect:
Option A:AWS KMS managed encryption keys (AWS-owned keys) do not support key rotation on demand.
Option C & D:Storing keys in AWS Secrets Manager with custom rotation is not a recommended approach for database encryption. AWS KMS is designed specifically for secure key management and encryption.
AWS Documentation References:
Encrypting Amazon RDS Resources
AWS Key Management Service (KMS)
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit