AWS Certified Database – Specialty — Question 352

A company is running a blogging platform. A security audit determines that the Amazon RDS DB instance that is used by the platform is not configured to encrypt the data at rest. The company must encrypt the DB instance within 30 days.
What should a database specialist do to meet this requirement with the LEAST amount of downtime?

Answer options

• A. Create a read replica of the DB instance, and enable encryption. When the read replica is available, promote the read replica and update the endpoint that is used by the application. Delete the unencrypted DB instance.
• B. Take a snapshot of the DB instance. Make an encrypted copy of the snapshot. Restore the encrypted snapshot. When the new DB instance is available, update the endpoint that is used by the application. Delete the unencrypted DB instance.
• C. Create a new encrypted DB instance. Perform an initial data load, and set up logical replication between the two DB instances When the new DB instance is in sync with the source DB instance, update the endpoint that is used by the application. Delete the unencrypted DB instance.
• D. Convert the DB instance to an Amazon Aurora DB cluster, and enable encryption. When the DB cluster is available, update the endpoint that is used by the application to the cluster endpoint. Delete the unencrypted DB instance.

Correct answer: C

Explanation

Setting up logical replication between the original unencrypted DB instance and a new encrypted DB instance allows them to stay in sync continuously, meaning the final cutover requires only a brief DNS or endpoint update with minimal downtime. In contrast, restoring an encrypted snapshot (Option B) requires shutting down writes to prevent data loss during the lengthy snapshot, copy, and restore process, resulting in significant downtime. Additionally, Amazon RDS does not support creating an encrypted read replica directly from an unencrypted source instance (Option A).