Answer – B and D
The AWS Documentation mentions the following.
Option B is correct because, With RDS-encrypted resources, data is encrypted at rest, including the underlying storage for a database (DB) instance, its automated backups, read replicas, and snapshots. This capability uses the open standard AES-256 encryption algorithm to encrypt your data, transparent to your database engine.
This encryption option protects against physical exfiltration or access to your data bypassing the DB instances. Therefore, it is critical to complement encrypted resources with an effective encryption key management and database credential management practice to mitigate any unauthorized access. Otherwise, compromised credentials or insufficiently protected keys might allow unauthorized users to access the plaintext data directly through the database engine.
Encryption key management is provided using the AWS KMS.
Option D is correct because Amazon RDS encrypts your databases using keys you manage with the AWS Key Management Service (KMS). On a database instance running with Amazon RDS encryption, data stored at rest in the underlying storage is encrypted, as are its automated backups, read replicas, and snapshots. RDS encryption uses the industry-standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS instance.
Options C is incorrect because this is used for the encryption of objects in S3.
Option A is incorrect since this can be easily achieved using the encryption at rest feature for AWS RDS.
The term `rest` means when data is resting (not in transition-while data is traveling to the database.
For more information on Encryption for AWS RDS, please refer to the below URLs-
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
https://aws.amazon.com/blogs/database/selecting-the-right-encryption-options-for-amazon-rds-and-amazon-aurora-database-engines/
https://aws.amazon.com/rds/features/security/