Question 1,528 of 1,733
Design of SAP Workloads on AWShardMultiple SelectObjective-mapped

PAS-C01 SAP HANA Native Encryption Practice Question

This PAS-C01 practice question tests your understanding of design of sap workloads on aws. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. A key principle to apply: sAP HANA Native Encryption. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company runs SAP HANA on AWS and wants to encrypt the database at rest. Which THREE options are available to achieve this?

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Use AWS KMS with a custom key store to manage encryption keys.

Three options are available for encrypting SAP HANA at rest on AWS. Option B: AWS KMS with a custom key store allows you to use a customer-managed key store backed by AWS CloudHSM, providing control over encryption keys for data at rest, and integrates with EBS encryption. Option C: SAP HANA native encryption encrypts the database directly, which is independent of the underlying storage. Option E: Amazon EBS encryption encrypts all EBS volumes attached to the HANA instance, providing encryption at the block storage level. Option A is incorrect because SAP HANA runs on EC2, not RDS. Option D is incorrect because SAP HANA database files are stored on EBS volumes, not S3.

Key principle: SAP HANA Native Encryption

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Use Amazon RDS encryption for the SAP HANA database.

    Why it's wrong here

    SAP HANA is not an RDS database.

  • Use AWS KMS with a custom key store to manage encryption keys.

    Why this is correct

    KMS can manage keys for EBS and HANA encryption.

    Related concept

    SAP HANA Native Encryption

  • Enable SAP HANA native encryption for the database.

    Why this is correct

    SAP HANA provides its own encryption.

    Related concept

    SAP HANA Native Encryption

  • Use Amazon S3 server-side encryption for database files.

    Why it's wrong here

    S3 is not used for HANA persistent storage.

  • Enable Amazon EBS encryption on all volumes attached to the HANA instance.

    Why this is correct

    EBS encryption provides at-rest encryption.

    Related concept

    SAP HANA Native Encryption

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates may confuse Amazon RDS encryption with EC2-based database encryption, not realizing that SAP HANA is self-managed on EC2 and does not use the RDS service, making option A technically inapplicable.

Detailed technical explanation

How to think about this question

SAP HANA on AWS typically uses EBS volumes for data and log storage, and enabling EBS encryption (option E) uses AWS KMS keys to encrypt the volume at the block level transparently. SAP HANA native encryption (option C) operates at the database layer, encrypting data pages and log entries before they are written to disk, which provides an additional layer of encryption independent of the underlying storage. In a real-world scenario, customers often combine EBS encryption with SAP HANA native encryption to meet dual-layer encryption requirements or to separate key management responsibilities.

KKey Concepts to Remember

  • SAP HANA Native Encryption
  • AWS KMS Custom Key Store
  • Amazon EBS Encryption

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

SAP HANA Native Encryption

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

Quick reference

AWS S3 Storage Class Comparison

Storage ClassMin DurationRetrievalUse Case
S3 StandardNoneImmediateFrequently accessed data
S3 Standard-IA30 daysImmediateInfrequent access, rapid retrieval
S3 One Zone-IA30 daysImmediateNon-critical infrequent data
S3 Intelligent-TieringNoneImmediate–hoursUnknown or changing access patterns
S3 Glacier Instant90 daysMillisecondsArchive with instant retrieval
S3 Glacier Flexible90 daysMinutes–hoursArchive, flexible retrieval
S3 Glacier Deep Archive180 daysHoursLong-term compliance archive

What to study next

Got this wrong? Here's your next step.

Review sAP HANA Native Encryption, then practise related PAS-C01 questions on the same topic to reinforce the concept.

Related practice questions

Related PAS-C01 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free PAS-C01 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this PAS-C01 question test?

Design of SAP Workloads on AWS — This question tests Design of SAP Workloads on AWS — SAP HANA Native Encryption.

What is the correct answer to this question?

The correct answer is: Use AWS KMS with a custom key store to manage encryption keys. — Three options are available for encrypting SAP HANA at rest on AWS. Option B: AWS KMS with a custom key store allows you to use a customer-managed key store backed by AWS CloudHSM, providing control over encryption keys for data at rest, and integrates with EBS encryption. Option C: SAP HANA native encryption encrypts the database directly, which is independent of the underlying storage. Option E: Amazon EBS encryption encrypts all EBS volumes attached to the HANA instance, providing encryption at the block storage level. Option A is incorrect because SAP HANA runs on EC2, not RDS. Option D is incorrect because SAP HANA database files are stored on EBS volumes, not S3.

What should I do if I get this PAS-C01 question wrong?

Review sAP HANA Native Encryption, then practise related PAS-C01 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

SAP HANA Native Encryption

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More PAS-C01 practice questions

Last reviewed: Jun 24, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This PAS-C01 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PAS-C01 exam.