Which solution meets these requirements?
Use TLS certificates from AWS Certificate Manager (ACM) with an Application Load Balancer. Deploy self-signed certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Enable encryption of the RDS DB instance. Enable encryption on the Amazon Elastic Block Store (Amazon EBS) volumes that support the EC2 instances.
Use TLS certificates from a third-party vendor with an Application Load Balancer. Install the same certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use AWS Secrets Manager for client-side encryption of application data.
Use AWS CloudHSM to generate TLS certificates for the EC2 instances. Install the TLS certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use the encryption keys form CloudHSM for client-side encryption of application data.
Use Amazon CloudFront with AWS WAF. Send HTTP connections to the origin EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Use AWS Key Management Service (AWS KMS) for client-side encryption of application data before the data is stored in the RDS database.
Explanations:
This option utilizes AWS Certificate Manager (ACM) for TLS certificates, which simplifies certificate management and renewal. It also uses an Application Load Balancer (ALB) to terminate TLS connections, ensuring data is encrypted in transit. The solution includes enabling encryption for the RDS instance and EBS volumes, which secures data at rest, thus fulfilling compliance requirements while minimizing operational overhead.
Although this option uses TLS certificates from a third-party vendor, which can work, it adds complexity and operational overhead compared to using ACM. Additionally, it does not mention encrypting the RDS instance or EBS volumes, which are critical for data at rest compliance. Using AWS Secrets Manager for client-side encryption does not directly relate to securing data in transit or at rest for the database.
This option requires the use of AWS CloudHSM for generating and managing TLS certificates, which increases operational complexity and cost. It does mention using TLS for the database connection, but it does not address encryption for the RDS instance or EBS volumes. Client-side encryption with CloudHSM keys adds more complexity and may not be necessary for this scenario.
While using Amazon CloudFront can provide some security benefits, it does not directly address securing data in transit between the EC2 instances and the RDS database without additional configuration. This option also does not ensure encryption of the RDS instance or EBS volumes, which are essential for compliance. Moreover, using AWS KMS for client-side encryption adds complexity without addressing the primary requirement of securing data in transit.
From my point of view, the answer is:
Use TLS certificates from AWS Certificate Manager (ACM) with an Application Load Balancer. Deploy self-signed certificates on the EC2 instances. Ensure that the database client software uses a TLS connection to Amazon RDS. Enable encryption of the RDS DB instance. Enable encryption on the Amazon Elastic Block Store (Amazon EBS) volumes that support the EC2 instances.