AWS Certified Database – Specialty — Question 206

A company is using a 1 TB Amazon RDS for PostgreSQL DB instance to store user data. During a security review, a security engineer sees that the DB instance is not encrypted at rest.

How should a database specialist correct this issue with the LEAST amount of downtime and no data loss?

Answer options

• A. Modify the DB instance by using the RDS management console, and enable encryption. Apply the changes immediately.
• B. Create a manual DB instance snapshot and then create an encrypted copy of that snapshot. Use this snapshot to create a new encrypted DB instance. Modify the application to connect to the new DB instance.
• C. Create a new encrypted DB instance and use AWS Database Migration Service (AWS DMS) to migrate the existing database to the encrypted DB instance. Once the instances are in sync, modify the application to connect to the new DB instance.
• D. Create an encrypted read replica. Once the read replica is in sync, promote it to primary. Modify the application to connect to the new primary instance.

Correct answer: C

Explanation

Option C is correct because it allows for the migration to an encrypted DB instance while keeping both databases in sync, ensuring no data loss occurs. Option A is incorrect as it cannot enable encryption on an existing DB instance without downtime. Option B, while feasible, involves more steps and time compared to using AWS DMS. Option D also involves additional complexity and potential downtime during the promotion process.