Which configuration approach will meet these requirements?
Enable Transparent Data Encryption (TDE) in the MySQL configuration file. Manually rotate the key every 12 months.
Enable RDS encryption on the database at creation time by using the AWS managed key for Amazon RDS.
Create a new AWS Key Management Service (AWS KMS) customer managed key. Enable automatic key rotation. Enable RDS encryption on the database at creation time by using the KMS key.
Create a new AWS Key Management Service (AWS KMS) customer managed key. Enable automatic key rotation. Enable encryption on the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the RDS DB instance.
Explanations:
Transparent Data Encryption (TDE) is not natively supported in Amazon RDS for MySQL. Additionally, manually rotating the key does not satisfy the requirement for automated key rotation.
While enabling RDS encryption at creation time meets the requirement for encrypting data at rest, using the AWS managed key does not allow for key rotation, as AWS manages the keys without the ability for the customer to rotate them.
Creating a customer managed key in AWS KMS and enabling automatic key rotation satisfies both the encryption of data at rest and the requirement to rotate the keys annually. Additionally, enabling RDS encryption at creation time with this KMS key ensures that the database is encrypted properly.
While creating a KMS key and enabling automatic key rotation is valid, the statement about enabling encryption on EBS volumes is misleading in the context of RDS, as RDS manages its own storage, and this option does not specifically address the requirements of encrypting the RDS instance itself.
If memory serves me right, the answer is:
Create a new AWS Key Management Service (AWS KMS) customer managed key. Enable automatic key rotation. Enable RDS encryption on the database at creation time by using the KMS key.