The correct answer is to **provision a customer-managed key in AWS Key Management Service (KMS) and configure the RDS instances to use encryption during creation**. Amazon RDS supports encryption at rest using AWS KMS. You can choose either an AWS-managed key or a customer-managed KMS key during the creation of the RDS instance. Once enabled, this encryption protects the underlying storage and automated backups, read replicas, and snapshots.

The option to create a custom encryption key and store it in AWS Secrets Manager is incorrect because Secrets Manager is not designed to store or manage encryption keys. Its intended for securely storing secrets like database credentials or API tokensnot encryption key material. Additionally, manually encrypting RDS volumes is not a supported or scalable practice.

The suggestion to issue a TLS certificate from AWS Certificate Manager and activate SSL on the database instances confuses encryption in transit with encryption at rest. SSL/TLS protects data during transmission between the client and the RDS instance but does not encrypt the data stored on disk.

Similarly, the choice to generate a server certificate in IAM and use it for SSL connections is a misapplication. IAM is no longer used to manage server certificates for most modern workloads, and like ACM, SSL only protects data in transit, not data at rest.

This question is significant because it tests your understanding of AWS-native encryption mechanisms, especially the differences between data at rest and data in transit. A common trap is selecting SSL/TLS-based answers when the requirement is for encryption at rest. The key takeaway is that AWS KMS is the centralized tool for managing encryption keys across many services, including RDS. The challenge here lies in recognizing when encryption must occur at the storage layer rather than at the communication layer.

Full AWS Practitioner Certification Question