Exam AWS Certified Cloud Practitioner topic 1 question 25 discussion

Not C because: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html

Not C : Design encryption-at-rest strategies: Amazon RDS offers encryption-at-rest for database storage by default. It handles the encryption of data on disk and manages the associated keys. As a customer, you can enable encryption when creating an Amazon RDS instance, but you don't need to design the encryption strategy yourself.

Design encryption-at-rest strategies – AWS provides built-in encryption options; you choose to enable them, but the design and implementation are largely AWS-managed.

Since this is single option, While managing connections (A) is a customer task, encryption-at-rest strategies directly involve data security, a critical customer responsibility under the shared model. AWS RDS provides encryption tools, but customers must enable it.

A. Manage connections to the database

Manage connections to the database

Answer should be both A & C

Not 'A', because the RDS service manages database connections. 'C' is correct because RDS doesn't automatically set up encryption-at-rest. The customer has to choose whether to enable it via the console or pass the appropriate parameters when using the CLI or an API to create the DB. That's the strategy the customer is responsible for in the Shared Responsibility Model. Think about it another way. Amazon isn't going to come along someday and decrypt a customer's database, so it can't be something they manage.

C. Design encryption-at-rest strategies Explanation: The customer's responsibility is to design encryption-at-rest strategies. This involves configuring encryption for data stored in the RDS database, ensuring sensitive data is protected from unauthorized access to the underlying storage. While Amazon RDS manages infrastructure, including hardware provisioning, database setup, patching, and backups, customers must take proactive steps to safeguard their data by designing and implementing encryption strategies based on their security and compliance needs.

You need to config your RDS instance's security group which are allowed inbound and outbound connection, so the answer is A.

This would be C as per 'Shared Responsibility Model' customer is responsible for security 'in the cloud'. Though AWS provides encryption methods, activating it and using it properly is customers responsibility.

A because the customer has to manage all the connections to the database. Not B because it is an option to encrypt data at rest not necessity.

you need to manage the connection to the database yourself A

should be A

Manage connections to the database

Encryption is somthing you need to activate it only, while connection to the database with your application is your responsability.

To me, this became obvious once I stripped away the technical aspect of the question and just asked myself, would I, as a customer, want AWS to manage connections to my database? The answer is A.