AWS Certified Database – Specialty — Question 313

A company has a database fleet that includes an Amazon RDS for MySQL DB instance. During an audit, the company discovered that the data that is stored on the DB instance is unencrypted.
A database specialist must enable encryption for the DB instance. The database specialist also must encrypt all connections to the DB instance.
Which combination of actions should the database specialist take to meet these requirements? (Choose three.)

Answer options

• A. In the RDS console, choose ג€Enable encryptionג€ to encrypt the DB instance by using an AWS Key Management Service (AWS KMS) key.
• B. Encrypt the read replica of the unencrypted DB instance by using an AWS Key Management Service (AWS KMS) key. Fail over the read replica to the primary DB instance.
• C. Create a snapshot of the unencrypted DB instance. Encrypt the snapshot by using an AWS Key Management Service (AWS KMS) key. Restore the DB instance from the encrypted snapshot. Delete the original DB instance.
• D. Require SSL connections for applicable database user accounts.
• E. Use SSL/TLS from the application to encrypt a connection to the DB instance.
• F. Enable SSH encryption on the DB instance.

Correct answer: C, D, E

Explanation

To encrypt an existing unencrypted Amazon RDS DB instance, you must take a snapshot, copy and encrypt that snapshot using an AWS KMS key, and restore a new instance from the encrypted snapshot, as encryption cannot be enabled on an existing active instance. To secure data in transit, you must configure the database users to require SSL and ensure the application connects using SSL/TLS. SSH access is not supported or manageable directly on Amazon RDS DB instances, and you cannot create an encrypted read replica of an unencrypted instance.