AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A financial-services company hosts the three tiers of an application in three separate AWS workload accounts that belong to the same AWS Organizations organization. A dedicated security services account exists for centralized tooling.
The security team has issued the following compliance requirements:
- All application data that is stored in Amazon RDS, Amazon S3, and Amazon EBS must be encrypted at rest by using customer-managed AWS KMS keys that are rotated automatically and administered from a single account.
- All network traffic between the application VPCs and to AWS managed services must be encrypted in transit by using TLS 1.2 or later.
- X.509 certificate issuance and renewal must be fully automated.
- The solution must introduce no additional proxy servers or host-based encryption agents and must minimize ongoing operations.
Which approach meets all of these requirements with the least operational effort?
Enable server-side encryption with S3-managed keys (SSE-S3), use AWS-managed keys for RDS and EBS, and install self-signed certificates on the EC2 instances. Rotate the certificates by running a scheduled cron job on each server.
Deploy third-party file-level encryption agents on all EC2 instances, store encryption keys in an on-premises HSM, and terminate TLS on custom NGINX proxies that obtain certificates from the on-premises PKI. Share data among accounts by using service control policies (SCPs).
Create a symmetric customer-managed KMS key in the security services account, enable automatic rotation, and add the workload account IDs to the key policy. In every workload account, configure Amazon EBS encryption by default, the RDS instance, and the S3 bucket to use this shared key. Request ACM certificates in the workload accounts and associate them with HTTPS listeners on Application Load Balancers. Use interface VPC endpoints (AWS PrivateLink) for communications with AWS managed services.
Create a customer-managed KMS key in each workload account, enable key rotation, turn on EBS encryption by default, encrypt the RDS instance and S3 bucket with the account's key, and attach an ACM public certificate to an Application Load Balancer for HTTPS traffic. Use VPC peering for inter-tier connectivity.