In order to encrypt data in transit for a connection to an AWS RDS instance, which of the following would you implement?

Answer options:

A.Transparent data encryption
B.SSL/TLS from your application
C.Data keys from AWS KMS
D.Data Keys from CloudHSM

Answer: B
Option A is incorrect because transparent data encryption is used for data at rest and not in transit.
Option B is CORRECT because Amazon RDS creates an SSL certificate and installs the certificate on the DB instance when the instance is provisioned. Once an encrypted connection is established, data transferred between the DB Instance and your application will be encrypted during transfer. You can also require your DB instance only to accept encrypted connections.
Options C is incorrect since Data keys from KMS can be used to encrypt data at rest and not for data in transit.
Options D is incorrect since Data keys from HSM can be used to encrypt data at rest and not for data in transit.
AWS Documentation provides more information as mentioned below:
You can use SSL/TLS from your application to encrypt a connection to a DB instance running MySQL, MariaDB, Amazon Aurora, SQL Server, Oracle, or PostgreSQL.
For more information on working with RDS and SSL, kindly refer to the following URL:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
https://aws.amazon.com/rds/features/security/