What should a solutions architect do to meet this requirement?
Create a key in AWS Key Management Service (AWS KMS). Enable encryption for the DB instances.
Create an encryption key. Store the key in AWS Secrets Manager. Use the key to encrypt the DB instances.
Generate a certificate in AWS Certificate Manager (ACM). Enable SSL/TLS on the DB instances by using the certificate.
Generate a certificate in AWS Identity and Access Management (IAM). Enable SSL/TLS on the DB instances by using the certificate.
Explanations:
Creating a key in AWS Key Management Service (AWS KMS) and enabling encryption for the DB instances ensures that data at rest is encrypted. AWS RDS supports encryption using KMS keys, which helps protect sensitive data and complies with security requirements.
Storing a key in AWS Secrets Manager does not provide encryption for data at rest in RDS. Secrets Manager is intended for managing secrets, not for direct data encryption. Additionally, creating an encryption key without enabling encryption on the DB instances does not fulfill the requirement.
Generating a certificate in AWS Certificate Manager (ACM) and enabling SSL/TLS is related to securing data in transit, not at rest. This option does not address the requirement for encrypting data stored in the database instances.
Similar to option C, generating a certificate in AWS Identity and Access Management (IAM) and enabling SSL/TLS is focused on securing data in transit. It does not provide encryption for data at rest within the RDS DB instances.