Amazon RDS supports encryption at rest by using AWS KMS keys backed by AWS CloudHSM. This allows use of dedicated FIPS 140-2 Level 3 validated hardware modules to manage encryption keys, meeting compliance for sensitive data such as PII.
From AWS Documentation:
“You can use AWS KMS with keys that are backed by AWS CloudHSM to control the encryption of RDS databases. This provides dedicated HSM-backed key storage and management.”
(Source: Amazon RDS User Guide – Encrypting Amazon RDS Resources)
Why B is correct:
Meets the requirement for dedicated HSM hardware.
Fully integrates with RDS for transparent encryption at rest.
Satisfies compliance standards for healthcare and regulated data.
Why others are incorrect:
A: Keys in CloudHSM directly are not used by RDS; they must be managed through KMS integration.
C: EC2 instance stores are ephemeral, not suitable for RDS databases.
D: SSE-S3 applies to S3 objects, not databases.
[References:, Amazon RDS User Guide – “Encryption at Rest with AWS KMS and CloudHSM”, AWS CloudHSM User Guide, AWS Well-Architected Framework – Security Pillar, , , ]