Question #793
Which AWS service is used to manage encryption keys for Amazon RDS database encryption at rest?
AWS Certificate Manager
AWS Systems Manager
AWS KMS
AWS Config
Explanation
The correct answer is C (AWS KMS). Amazon RDS uses AWS Key Management Service (KMS) to manage encryption keys for data-at-rest encryption. When enabling encryption for an RDS instance, AWS KMS generates and protects the customer master keys (CMKs) used to encrypt the database storage, automated backups, read replicas, and snapshots.
Why other options are incorrect:
- A (AWS Certificate Manager): Manages SSL/TLS certificates for encrypting data in transit, not encryption keys for data-at-rest.
- B (AWS Systems Manager): Focuses on operational management, automation, and parameter storage, not encryption key management.
- D (AWS Config): Tracks resource configuration and compliance but does not handle encryption keys.
Key Points:
- AWS KMS is the standard service for managing encryption keys in AWS.
- RDS encryption at rest requires a KMS customer-managed key (CMK) or AWS-managed key.
- KMS integrates with other AWS services to simplify encryption key lifecycle management.
Answer
The correct answer is: C