Which solution will meet these requirements?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A company’s application team needs to host a MySQL database on AWS.According to the company’s security policy, all data that is stored on AWS must be encrypted at rest.In addition, all cryptographic material must be compliant with FIPS 140-2 Level 3 validation.The application team needs a solution that satisfies the company’s security requirements and minimizes operational overhead.

Which solution will meet these requirements?

Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an AWS Key Management Service (AWS KMS) custom key store that is backed by AWS CloudHSM for key management.

Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an AWS managed CMK in AWS Key Management Service (AWS KMS) for key management.

Host the database on an Amazon EC2 instance. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use a customer managed CMK in AWS Key Management Service (AWS KMS) for key management.

Host the database on an Amazon EC2 instance. Use Transparent Data Encryption (TDE) for encryption and key management.

Explanations:

Amazon RDS supports encryption at rest, and using a KMS custom key store backed by AWS CloudHSM ensures compliance with FIPS 140-2 Level 3 validation for cryptographic material. This solution minimizes operational overhead as it uses RDS and offloads management to AWS services.

While Amazon RDS supports encryption at rest, AWS managed CMKs in KMS do not meet the requirement for FIPS 140-2 Level 3 validation. AWS managed CMKs are not compliant with this standard.

Hosting on an EC2 instance requires manual management of encryption and key management. While EBS encryption and KMS are supported, the solution does not minimize operational overhead compared to Amazon RDS. Additionally, KMS does not automatically satisfy FIPS 140-2 Level 3 unless specifically configured with a FIPS-validated key store.

Transparent Data Encryption (TDE) is a feature for on-premises databases or self-managed databases on EC2. It requires manual management of keys and is not directly tied to FIPS 140-2 Level 3 compliance unless properly configured. It also increases operational overhead compared to managed services like RDS.

2025-10-01

1 Comment

  1. Michael
    Author

    I categorize that the answer is:
    Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an AWS Key Management Service (AWS KMS) custom key store that is backed by AWS CloudHSM for key management.

Leave a Reply

Your email address will not be published. Required fields are marked *

15 − 11 =