What should a database specialist do to meet this requirement?
Turn on data encryption when modifying the DB cluster by using the AWS Management Console or by using the AWS CLI to call the modify-db-cluster command.
Download the key pair for the DB instance. Reference that file from the –key-name option when connecting with a MySQL client.
Turn on data encryption by using AWS Key Management Service (AWS KMS). Use the AWS KMS key to encrypt the connections between a MySQL client and the Aurora DB cluster.
Turn on the require_secure_transport parameter in the DB cluster parameter group. Download the root certificate for the DB instance. Reference that file from the –ssl-ca option when connecting with a MySQL client.
Explanations:
Enabling data encryption for the DB cluster in Aurora only affects data at rest (encryption of storage), not the encryption of data in transit (connections between clients and DB).
Downloading the key pair is not relevant to enabling encrypted connections. MySQL uses SSL/TLS certificates for encrypting connections, not a key pair for encryption of connections.
AWS Key Management Service (KMS) is used for managing encryption keys, but it is not responsible for encrypting the actual connections between clients and the DB cluster. SSL/TLS certificates are used for that purpose.
Turning on therequire_secure_transportparameter enforces the use of SSL/TLS for encrypted connections between MySQL clients and the Aurora DB cluster. The root certificate is needed to establish trust for the SSL connection.