AWS Certified Database – Specialty — Question 300

A company's development team needs to have production data restored in a staging AWS account. The production database is running on an Amazon RDS for
PostgreSQL Multi-AZ DB instance, which has AWS KMS encryption enabled using the default KMS key. A database specialist planned to share the most recent automated snapshot with the staging account, but discovered that the option to share snapshots is disabled in the AWS Management Console.
What should the database specialist do to resolve this?

Answer options

• A. Disable automated backups in the DB instance. Share both the automated snapshot and the default KMS key with the staging account. Restore the snapshot in the staging account and enable automated backups.
• B. Copy the automated snapshot specifying a custom KMS encryption key. Share both the copied snapshot and the custom KMS encryption key with the staging account. Restore the snapshot to the staging account within the same Region.
• C. Modify the DB instance to use a custom KMS encryption key. Share both the automated snapshot and the custom KMS encryption key with the staging account. Restore the snapshot in the staging account.
• D. Copy the automated snapshot while keeping the default KMS key. Share both the snapshot and the default KMS key with the staging account. Restore the snapshot in the staging account.

Correct answer: B

Explanation

Automated RDS snapshots cannot be shared directly with other AWS accounts, and snapshots encrypted using the default AWS-managed KMS key cannot be shared cross-account. To share the database, you must copy the automated snapshot to a manual snapshot and encrypt it with a custom customer-managed KMS key. Once copied, both the manual snapshot and the custom KMS key can be shared with the target staging account for restoration.