AWS Certified Database – Specialty — Question 79

A company is running an Amazon RDS for MySQL Multi-AZ DB instance for a business-critical workload. RDS encryption for the DB instance is disabled. A recent security audit concluded that all business-critical applications must encrypt data at rest. The company has asked its database specialist to formulate a plan to accomplish this for the DB instance.
Which process should the database specialist recommend?

Answer options

• A. Create an encrypted snapshot of the unencrypted DB instance. Copy the encrypted snapshot to Amazon S3. Restore the DB instance from the encrypted snapshot using Amazon S3.
• B. Create a new RDS for MySQL DB instance with encryption enabled. Restore the unencrypted snapshot to this DB instance.
• C. Create a snapshot of the unencrypted DB instance. Create an encrypted copy of the snapshot. Restore the DB instance from the encrypted snapshot.
• D. Temporarily shut down the unencrypted DB instance. Enable AWS KMS encryption in the AWS Management Console using an AWS managed CMK. Restart the DB instance in an encrypted state.

Correct answer: C

Explanation

The correct choice is C because it involves creating a snapshot of the unencrypted DB instance and then generating an encrypted copy, which can be restored appropriately. Option A incorrectly suggests copying the snapshot to S3, which is unnecessary for this process. Option B does not directly encrypt the existing data but involves creating a new instance instead. Option D incorrectly implies that you can enable encryption on an already running instance without data loss, which is not possible.