What should the security engineer recommend?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A company is building an application on AWS that will store sensitive information.The company has a support team with access to the IT infrastructure, including databases.The company’s security engineer must introduce measures to protect the sensitive data against any data breach while minimizing management overhead.The credentials must be regularly rotated.

What should the security engineer recommend?

Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Include the database credential in the EC2 user data field. Use an AWS Lambda function to rotate database credentials. Set up TLS for the connection to the database.

Install a database on an Amazon EC2 instance. Enable third-party disk encryption to encrypt Amazon Elastic Block Store (Amazon EBS) volume. Store the database credentials in AWS CloudHSM with automatic rotation. Set up TLS for the connection to the database.

Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in AWS Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.

Set up an AWS CloudHSM cluster with AWS Key Management Service (AWS KMS) to store KMS keys. Set up Amazon RDS encryption using AWS KSM to encrypt the database. Store the database credentials in AWS Systems Manager Parameter Store with automatic rotation. Set up TLS for the connection to the RDS hosted database.

Explanations:

While Amazon RDS encryption, EBS encryption, and TLS are correctly recommended, storing database credentials in EC2 user data is insecure. User data is accessible to the EC2 instance and potentially to anyone with access to the instance. Also, using Lambda to rotate credentials introduces unnecessary complexity.

Installing a database on EC2 is not optimal for a fully managed, scalable solution like RDS. Third-party disk encryption is not needed when using EBS encryption. Storing credentials in CloudHSM introduces complexity and cost without significant benefit in this scenario.

Amazon RDS encryption, EBS encryption, and TLS are appropriate measures. Storing credentials in AWS Secrets Manager with automatic rotation simplifies credential management and meets the security requirements with minimal overhead.

Using AWS CloudHSM with AWS KMS is an unnecessary complexity for this use case. RDS encryption and storing credentials in Systems Manager Parameter Store is a better option. Systems Manager Parameter Store, while capable, lacks the automatic credential rotation that Secrets Manager offers.

2025-10-14

1 Comment

  1. Adam
    Author

    I would say the answer is:
    Enable Amazon RDS encryption to encrypt the database and snapshots. Enable Amazon Elastic Block Store (Amazon EBS) encryption on Amazon EC2 instances. Store the database credentials in AWS Secrets Manager with automatic rotation. Set up TLS for the connection to the RDS hosted database.

Leave a Reply

Your email address will not be published. Required fields are marked *

5 × one =