AWS Certified Database – Specialty — Question 261

A healthcare company is running an application on Amazon EC2 in a public subnet and using Amazon DocumentDB (with MongoDB compatibility) as the storage layer. An audit reveals that the traffic between the application and Amazon DocumentDB is not encrypted and that the DocumentDB cluster is not encrypted at rest. A database specialist must correct these issues and ensure that the data in transit and the data at rest are encrypted.

Which actions should the database specialist take to meet these requirements? (Choose two.)

Answer options

• A. Download the SSH RSA public key for Amazon DocumentDB. Update the application configuration to use the instance endpoint instead of the cluster endpoint and run queries over SSH.
• B. Download the SSL .pem public key for Amazon DocumentDAdd the key to the application package and make sure the application is using the key while connecting to the cluster.
• C. Create a snapshot of the unencrypted cluster. Restore the unencrypted snapshot as a new cluster with the --storage-encrypted parameter set to true. Update the application to point to the new cluster.
• D. Create an Amazon DocumentDB VPC endpoint to prevent the traffic from going to the Amazon DocumentDB public endpoint. Set a VPC endpoint policy to allow only the application instance's security group to connect.
• E. Activate encryption at rest using the modify-db-cluster command with the --storage-encrypted parameter set to true. Set the security group of the cluster to allow only the application instance's security group to connect.

Correct answer: B

Explanation

Option B is correct because downloading the SSL .pem public key and ensuring the application uses it is essential for encrypting data in transit. Options A and D do not address the encryption requirements, while options C and E focus on data at rest but don't handle the necessary encryption for data in transit.