A company runs an online transaction processing (OLTP) workload on AWS using an unencrypted Amazon RDS DB instance in a Multi-AZ deployment. Daily DB snapshots are taken. What should a solutions architect do to ensure the database and snapshots are always encrypted going forward?
Choose an answer
Tap an option to check your answer.
Correct answer: Encrypt a copy of the latest DB snapshot. Replace the existing DB instance by restoring that encrypted snapshot..
Why this is the answer
Amazon RDS DB instances cannot be encrypted directly after creation if they were initially unencrypted. To encrypt an existing unencrypted RDS instance, you must create an encrypted copy of its latest snapshot. This encrypted snapshot can then be used to restore a new, encrypted RDS DB instance. This new instance will replace the original unencrypted instance, ensuring all future data and snapshots are encrypted. The other options are incorrect because: Creating a new encrypted EBS volume and copying snapshots to it does not encrypt the RDS instance itself. RDS uses its own storage, not directly exposed EBS volumes for this purpose. Copying snapshots and enabling encryption using KMS, then restoring to an existing DB instance, won't work because the existing instance remains unencrypted. You must restore to a new instance. Copying snapshots to an S3 bucket with SSE-KMS encrypts the snapshots in S3, but doesn't encrypt the RDS instance or its future snapshots.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed