AWS Certified Database – Specialty — Question 32

A Database Specialist migrated an existing production MySQL database from on-premises to an Amazon RDS for MySQL DB instance. However, after the migration, the database needed to be encrypted at rest using AWS KMS. Due to the size of the database, reloading, the data into an encrypted database would be too time-consuming, so it is not an option.
How should the Database Specialist satisfy this new requirement?

Answer options

• A. Create a snapshot of the unencrypted RDS DB instance. Create an encrypted copy of the unencrypted snapshot. Restore the encrypted snapshot copy.
• B. Modify the RDS DB instance. Enable the AWS KMS encryption option that leverages the AWS CLI.
• C. Restore an unencrypted snapshot into a MySQL RDS DB instance that is encrypted.
• D. Create an encrypted read replica of the RDS DB instance. Promote it the master.

Correct answer: A

Explanation

The correct answer is A because creating a snapshot of the unencrypted instance and then creating an encrypted copy allows for the database to be encrypted without reloading the data. Option B is incorrect because you cannot enable encryption on an existing RDS instance after it has been created; it must be done at the time of creation. Option C is not valid as restoring an unencrypted snapshot to an encrypted instance does not meet the encryption requirement. Option D does not solve the problem of the original instance needing encryption at rest.