Encrypt Data in Transit for AWS RDS Instances | SCS-C01 Exam Preparation

Implementing Encryption in Transit for AWS RDS Instances

Question

In order to encrypt data in transit for a connection to an AWS RDS instance, which of the following would you implement?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: B.

Option A is incorrect because transparent data encryption is used for data at rest and not in transit.

Option B is CORRECT because Amazon RDS creates an SSL certificate and installs the certificate on the DB instance when the instance is provisioned.

Once an encrypted connection is established, data transferred between the DB Instance and your application will be encrypted during transfer.

You can also require your DB instance only to accept encrypted connections.

Options C is incorrect since Data keys from KMS can be used to encrypt data at rest and not for data in transit.

Options D is incorrect since Data keys from HSM can be used to encrypt data at rest and not for data in transit.

AWS Documentation provides more information as mentioned below:

You can use SSL/TLS from your application to encrypt a connection to a DB instance running MySQL, MariaDB, Amazon Aurora, SQL Server, Oracle, or PostgreSQL.

For more information on working with RDS and SSL, kindly refer to the following URL:

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html https://aws.amazon.com/rds/features/security/

The correct answer for this question is B. SSL/TLS from your application.

When it comes to encrypting data in transit, one of the most common ways to accomplish this is by using SSL/TLS. SSL/TLS (Secure Sockets Layer/Transport Layer Security) is a protocol that encrypts data as it travels over the internet.

In the context of an AWS RDS instance, SSL/TLS can be used to encrypt the connection between the application and the database. This means that any data sent between the two is protected from interception and eavesdropping.

Transparent data encryption, or TDE, is a method of encrypting data at rest. This means that the data is encrypted while it is stored on the disk. TDE does not provide any protection for data in transit, which is the focus of this question.

Data keys from AWS KMS and CloudHSM are both methods of managing encryption keys. These keys are used to encrypt and decrypt data. While these methods can be used to encrypt data in transit, they are not specific to this use case.

In conclusion, the most appropriate way to encrypt data in transit for a connection to an AWS RDS instance is to use SSL/TLS from your application.