To enforce encryption in transit to Aurora, you must require clients to useTLS/SSLwhen connecting to the database. Aurora (depending on engine flavor) supports a parameter that enforces secure transport by rejecting non-TLS connections. Setting the DB (cluster/instance) parameter such asrequire_secure_transporttoONforces clients to negotiate SSL/TLS; otherwise the server refuses the connection, ensuring all data in transit is encrypted. This directly enforces the compliance requirement at the database endpoint itself, independent of client behavior.

Kerberos authentication (Option B) provides centralized authentication and can be useful for IAM/AD integration, but it does not by itself guarantee that the network session is encrypted. Option C is incorrect because Aurora/RDS usesRDS-provided certificatesfor TLS; you don’t attach ACM certificates to Aurora the way you would for ALB/CloudFront. Option D is not the right enforcement mechanism: RDS Proxy can help with connection pooling and IAM auth patterns, but it does not inherently force all client-to-proxy or proxy-to-db connections to be encrypted in the way a DB parameter enforcement does (and you’d still need to ensure clients use TLS). Therefore, enabling the parameter that requires secure transport is the correct solution.