Which combination of steps should the Database Specialist take to secure the cache data and protect it from unauthorized access?
(Choose three.)
Enable in-transit and at-rest encryption on the ElastiCache cluster.
Ensure that Amazon CloudWatch metrics are configured in the ElastiCache cluster.
Ensure the security group for the ElastiCache cluster allows all inbound traffic from itself and inbound traffic on TCP port 6379 from trusted clients only.
Create an IAM policy to allow the application service roles to access all ElastiCache API actions.
Ensure the security group for the ElastiCache clients authorize inbound TCP port 6379 and port 22 traffic from the trusted ElastiCache cluster’s security group.
Ensure the cluster is created with the auth-token parameter and that the parameter is used in all subsequent commands.
Explanations:
Enabling both in-transit and at-rest encryption ensures that data is protected during transmission and when stored, preventing unauthorized access.
While CloudWatch metrics are useful for monitoring performance, they do not directly contribute to securing the cache data or protecting it from unauthorized access.
Configuring the security group to allow only trusted clients on TCP port 6379 ensures that only authorized services can communicate with the ElastiCache cluster.
Creating an IAM policy for ElastiCache API actions is unnecessary for securing data in the cluster itself. ElastiCache uses security groups and encryption for security.
Allowing inbound TCP port 22 (SSH) traffic in the security group for clients is not necessary for securing data access. Only port 6379 should be configured for trusted clients.
Using the auth-token parameter in the cluster and enforcing its use in all subsequent commands ensures that only authorized clients can interact with the cluster.
If memory serves me right, the answer is:
Enable in-transit and at-rest encryption on the ElastiCache cluster.