Question 29

Domain 5: Data Protection

A company is building an application on AWS that will store sensitive information. The company has a support team with access to the IT infrastructure, including databases. The company's security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead. The credentials must be regularly rotated. What should the security engineer recommend?

A. Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Include the database credential in the EC2 user data field. Use an AWS Lambda function to rotate database credentials. Set up TLS for the connection to the database. B. Install a database on an Amazon EC2 instance. Enable third-party disk encryption to encrypt Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in AWS CloudHSM with automatic rotation. Set up TLS for the connection to the database. C. Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in AWS Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database. D. Set up an AWS CloudHSM cluster with AWS Key Management Service (AWS KMS) to store KMS keys. Set up Amazon RDS encryption using AWS KSM to encrypt the database. Store the database credentials in AWS Systems Manager Parameter Store with automatic rotation. Set up TLS for the connection to the RDS hosted database.

Correct answer: C

Explanation

AWS Secrets Manager supports “automatic rotation,” meeting the requirement to “regularly rotated” credentials with minimal overhead. RDS and EBS encryption protect data at rest, and TLS protects data in transit, which together reduce exposure of sensitive information to the support team and during a breach.

Why each option is right or wrong

EC2 user data is not a secure credential store, and Lambda rotation adds more management overhead.

B. Install a database on an Amazon EC2 instance. Enable third-party disk encryption to encrypt Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in AWS CloudHSM with automatic rotation. Set up TLS for the connection to the database.

CloudHSM stores keys, not database credentials, and third-party disk encryption adds operational overhead.

C. Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in AWS Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.

AWS Secrets Manager is the only option that directly satisfies the requirement for regular credential rotation with minimal operational effort, because it supports built-in automatic rotation for supported database credentials. The data-at-rest controls are also correctly matched to the storage layers in the scenario: Amazon RDS encryption protects the DB instance and its snapshots, and Amazon EBS encryption protects attached EC2 volumes and their snapshots under AWS KMS. TLS is then required for the RDS connection to protect the database traffic in transit, preventing exposure of the sensitive information even if the support team has infrastructure-level access.

D. Set up an AWS CloudHSM cluster with AWS Key Management Service (AWS KMS) to store KMS keys. Set up Amazon RDS encryption using AWS KSM to encrypt the database. Store the database credentials in AWS Systems Manager Parameter Store with automatic rotation. Set up TLS for the connection to the RDS hosted database.

Systems Manager Parameter Store does not provide automatic credential rotation for database secrets.

Previous Next