Question #711
A company is migrating a database application to AWS and wants to use fully managed services. The database stores sensitive transaction records with the following requirements:
- The data must be highly durable and available
- The data must be encrypted at rest and in transit
- The encryption keys must be managed by the company and rotated periodically
Which solution should the solutions architect recommend?
Use Amazon RDS with SSL connections and encryption at rest using an AWS KMS customer-managed key.
Use Amazon DynamoDB with SSL for data in transit and server-side encryption using an AWS KMS customer-managed key.
Deploy Amazon EC2 instances with encrypted EBS volumes using a customer-managed KMS key and configure SSL on the database application.
Use Amazon S3 with a bucket policy enforcing HTTPS and server-side encryption using AWS KMS.
Explanation
Amazon DynamoDB (Option B) is the correct choice because it is a fully managed NoSQL database service that inherently provides high durability and availability through automatic multi-AZ replication. DynamoDB encrypts data in transit using SSL/TLS by default and supports server-side encryption (SSE) using AWS KMS customer-managed keys (CMKs), allowing the company to manage and rotate keys as required.
Option A (Amazon RDS) also meets encryption requirements but is relational, which may not fit all use cases. Option C involves EC2, which is not fully managed. Option D uses Amazon S3, a storage service, not a transactional database. Thus, DynamoDB best satisfies all specified requirements while being fully managed.
Answer
The correct answer is: B