A company needs to use a Redshift cluster in AWS. The mandate is that all data is encrypted at rest. It also needs to be ensured that the keys used for encryption for the Redshift cluster are from an on-premise HSM device. Which of the following are most secure and cost-effective solutions? Choose 2 answers from the options given below

Answer options:

A.Create a VPN connection between the VPC holding the cluster and the On-premise network
B.Create a Direct Connect connection between the VPC holding the cluster and the On-premise network
C.Use client and server certificates to configure a trusted connection between Amazon Redshift and your HSM
D.Import the keys from the on-premise HSM device to KMS

Answer – A and C
The AWS Documentation mentions the following
Amazon Redshift uses a hierarchy of encryption keys to encrypt the database. You can use either AWS Key Management Service (AWS KMS) or a hardware security module (HSM) to manage the top-level encryption keys in this hierarchy. The process that Amazon Redshift uses for encryption differs depending on how you manage keys. Amazon Redshift automatically integrates with AWS KMS but not with an HSM. When you use an HSM, you must use client and server certificates to configure a trusted connection between Amazon Redshift and your HSM.
Option B is incorrect since using VPN involves encryption and will be more secure for transferring the encryption keys
Option D is incorrect since the KMS service cannot be used for importing keys
For more information on working with DB encryption, please visit the url
https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html