ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 2.3: Security ControlsSecurityCloudHSMRDSCompliance

AWS SAP-C02 · Question 35 · Domain 2.3: Security Controls

A healthcare organization is migrating its patient records system to AWS. The system consists of a web frontend, an application tier, and an Oracle database. The organization must comply with strict regulatory requirements: all data must be encrypted at rest using a dedicated hardware security module (HSM) under their exclusive control, and the database must be highly available across multiple Availability Zones. Which combination of services and configurations should the Architect use? (Select THREE)

Answer options:

A.

Deploy an AWS CloudHSM cluster across multiple Availability Zones.

B.

Migrate the database to Amazon RDS for Oracle with Multi-AZ enabled.

C.

Configure Amazon RDS to use AWS KMS with a custom key store backed by the CloudHSM cluster.

D.

Migrate the database to Amazon Aurora PostgreSQL and use Aurora Global Database.

E.

Use AWS KMS with AWS managed keys to encrypt the RDS database.

F.

Deploy Oracle on Amazon EC2 instances and use AWS Secrets Manager to handle encryption keys.

How to approach this question

Combine the requirement for dedicated HSMs (CloudHSM) with managed database HA (RDS Multi-AZ) and the integration mechanism (KMS Custom Key Store).

Full Answer

Deploy an AWS CloudHSM cluster across multiple Availability Zones., Migrate the database to Amazon RDS for Oracle with Multi-AZ enabled., Configure Amazon RDS to use AWS KMS with a custom key store backed by the CloudHSM cluster.
To meet the requirement for exclusive control over a dedicated HSM, AWS CloudHSM must be used. To make CloudHSM work easily with AWS managed services like Amazon RDS, you configure AWS KMS to use a Custom Key Store backed by your CloudHSM cluster. This allows RDS to encrypt data seamlessly while the keys remain in your dedicated hardware. RDS Multi-AZ provides the required database high availability.

Common mistakes

Assuming KMS alone meets the 'dedicated HSM under exclusive control' requirement (standard KMS uses shared HSMs).
34All questions36

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 5

75 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A global enterprise is redesigning its AWS network architecture across 50 AWS accounts and 3 AWS ...HardQ02A company uses AWS Organizations to manage multiple accounts. The security team mandates that no ...MediumQ03A financial institution requires a disaster recovery strategy for its critical trading applicatio...HardQ04An enterprise is setting up a new multi-account AWS environment using AWS Control Tower. They nee...MediumQ05A company has a complex AWS environment with hundreds of linked accounts under AWS Organizations....Hard
View all 75 questions →