Which solution will meet these requirements with the LEAST operational overhead?
Configure encryption at rest for Amazon RDS for MySQL by using AWS KMS managed keys. Configure AWS Certificate Manager (ACM) SSL/TLS certificates for encryption in transit.
Configure encryption at rest for Amazon RDS for MySQL by using AWS KMS managed keys. Configure IPsec tunnels for encryption in transit.
Implement third-party application-level data encryption before storing data in Amazon RDS for MySQL. Configure AWS Certificate Manager (ACM) SSL/TLS certificates for encryption in transit.
Configure encryption at rest for Amazon RDS for MySQL by using AWS KMS managed keys. Configure a VPN connection to enable private connectivity to encrypt data in transit.
Explanations:
This option meets the requirement for both encryption at rest and in transit with minimal operational overhead. Using AWS KMS managed keys for RDS ensures automatic encryption at rest without requiring additional management. ACM simplifies SSL/TLS certificate management for encryption in transit.
While this option correctly configures encryption at rest with AWS KMS managed keys, using IPsec tunnels adds complexity and operational overhead for establishing and managing the tunnels, which is not necessary given AWS’s built-in capabilities.
Although this option achieves encryption in transit with ACM SSL/TLS certificates, implementing third-party application-level encryption adds significant operational overhead. It requires managing encryption keys and integrating encryption logic within the application, contrary to the requirement for the least operational overhead.
This option configures encryption at rest with AWS KMS managed keys, but using a VPN connection for encrypting data in transit introduces unnecessary complexity and operational overhead compared to using SSL/TLS with ACM, which is more straightforward.