Home › Forums › AWS › AWS Certified Developer Associate › RDS Encryption versus Transparent Data Encryption (TDE) for SQL Server › Reply To: RDS Encryption versus Transparent Data Encryption (TDE) for SQL Server
-
Hi Robert,
Thank you for posting your question. Just as you said, the official web page / AWS documentation that you are looking for is already provided in the detailed explanation and the reference links.
Indeed, TDE and RDS Encryption are two seemingly similar features. You can also use them together. The latter doesn’t support SQL Server Express Edition, although this is not the type of database mentioned in the question.
The scenario says:
A web application is currently using an on-premises Microsoft SQL Server 2017 Enterprise Edition database. Your manager instructed you to migrate the application to Elastic Beanstalk and the database to RDS. For additional security, you must configure your database to automatically encrypt data before it is written to storage, and automatically decrypt data when the data is read from storage.
Which of the following services will you use to achieve this?
Take note of the key phrase here: “automatically encrypt data before it is written to storage, and automatically decrypt data when the data is read from storage.”
The provided answer is:
Enable Transparent Data Encryption (TDE).
The incorrect option that you are referring to is this:
Enable RDS Encryption.
The rationale for the incorrect option in the explanation says:
… this simply encrypts your Amazon RDS DB instances and snapshots at rest. It doesn’t automatically encrypt data before it is written to storage, nor automatically decrypt data when it is read from storage.
The explanation has the following screenshot as well, that contains the above key phrase:
https://udemy-images.s3.amazonaws.com/redactor/raw/2019-06-26_06-40-30-6f92efec7d7944f7a2698921f8ac94cc.png
The official AWS documentation says:
Amazon RDS supports using Transparent Data Encryption (TDE) to encrypt stored data on your DB instances running Microsoft SQL Server. TDE automatically encrypts data before it is written to storage, and automatically decrypts data when the data is read from storage.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.SQLServer.Options.TDE.html
The similarity of the wording in the scenario and the description of TDE is notable and in my opinion, not a weak argument as it’s almost verbatim.
In fact, the capability to “automatically encrypts data before it is written to storage” is unique to TDE: https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15
RDS Encryption is using KMS to manage the encryption keys. The data must be written to storage first before RDS can do start the encryption. Hence, it encrypts the data AFTER it is written to storage, which is the exact opposite of what TDE is doing.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!
Regards,
Jon Bonso @ Tutorials Dojo