AWS Certified Database – Specialty — Question 308

A finance company migrated its 3 ׀¢׀’ on-premises PostgreSQL database to an Amazon Aurora PostgreSQL DB cluster. During a review after the migration, a database specialist discovers that the database is not encrypted at rest. The database must be encrypted at rest as soon as possible to meet security requirements. The database specialist must enable encryption for the DB cluster with minimal downtime.
Which solution will meet these requirements?

Answer options

• A. Modify the unencrypted DB cluster using the AWS Management Console. Enable encryption and choose to apply the change immediately.
• B. Take a snapshot of the unencrypted DB cluster and restore it to a new DB cluster with encryption enabled. Update any database connection strings to reference the new DB cluster endpoint, and then delete the unencrypted DB cluster.
• C. Create an encrypted Aurora Replica of the unencrypted DB cluster. Promote the Aurora Replica as the new master.
• D. Create a new DB cluster with encryption enabled and use the pg_dump and pg_restore utilities to load data to the new DB cluster. Update any database connection strings to reference the new DB cluster endpoint, and then delete the unencrypted DB cluster.

Correct answer: B

Explanation

Amazon Aurora does not support enabling encryption at rest on an existing unencrypted DB cluster directly, nor does it support creating an encrypted replica of an unencrypted cluster. To enable encryption, you must take a snapshot of the unencrypted DB cluster, restore that snapshot to a new DB cluster with encryption enabled, and point your applications to the new cluster endpoint. While using pg_dump and pg_restore is technically possible, it would result in significantly higher downtime compared to restoring a snapshot.