AWS Certified Database – Specialty — Question 286

An ecommerce company migrates an on-premises MongoDB database to Amazon DocumentDB (with MongoDB compatibility). After the migration, a database specialist realizes that encryption at rest has not been turned on for the Amazon DocumentDB cluster.
What should the database specialist do to enable encryption at rest for the Amazon DocumentDB cluster?

Answer options

• A. Take a snapshot of the Amazon DocumentDB cluster. Restore the unencrypted snapshot as a new cluster while specifying the encryption option, and provide an AWS Key Management Service (AWS KMS) key.
• B. Enable encryption for the Amazon DocumentDB cluster on the AWS Management Console. Reboot the cluster.
• C. Modify the Amazon DocumentDB cluster by using the modify-db-cluster command with the --storage-encrypted parameter set to true.
• D. Add a new encrypted instance to the Amazon DocumentDB cluster, and then delete an unencrypted instance from the cluster. Repeat until all instances are encrypted.

Correct answer: A

Explanation

In Amazon DocumentDB, encryption at rest can only be enabled when a cluster is initially created and cannot be enabled on an existing unencrypted cluster. To secure an unencrypted cluster, you must take a snapshot of it and then restore that snapshot as a new cluster while enabling encryption with an AWS KMS key. Other methods, such as modifying the cluster configuration or adding encrypted instances to an unencrypted cluster, are not supported.