Question 37
Domain 4: Design Cost-Optimized ArchitecturesA company is using AWS DMS to migrate a database. They need to ensure the data is encrypted both in transit and at rest. How can this be achieved?
Correct answer: B
Explanation
AWS guidance says to encrypt data at rest and in transit: "Encrypting data at rest (for example, AWS KMS)" and "Encrypting data in transit (for example, AWS Certificate Manager [ACM] using TLS)." Enabling SSL/TLS secures the DMS connection, and encrypted RDS instances protect stored data.
Why each option is right or wrong
A. DMS doesn't support encryption
B. Enable SSL/TLS for connections and use encrypted RDS instances
AWS Database Migration Service supports SSL/TLS on the replication instance and endpoint connections, which is the mechanism that protects the migration traffic while it moves between the source and target. For the stored database contents, Amazon RDS encryption at rest is provided by AWS KMS-managed keys and must be enabled on the DB instance; if the instance is not created encrypted, AWS does not retroactively encrypt it, so the target must be an encrypted RDS instance to satisfy the at-rest requirement.
C. Use VPN for all connections
D. Encryption is automatic and cannot be configured