AWS Certified Database – Specialty — Question 94

A company is using an Amazon RDS for MySQL DB instance for its internal applications. A security audit shows that the DB instance is not encrypted at rest. The company's application team needs to encrypt the DB instance.
What should the team do to meet this requirement?

Answer options

• A. Stop the DB instance and modify it to enable encryption. Apply this setting immediately without waiting for the next scheduled RDS maintenance window.
• B. Stop the DB instance and create an encrypted snapshot. Restore the encrypted snapshot to a new encrypted DB instance. Delete the original DB instance, and update the applications to point to the new encrypted DB instance.
• C. Stop the DB instance and create a snapshot. Copy the snapshot into another encrypted snapshot. Restore the encrypted snapshot to a new encrypted DB instance. Delete the original DB instance, and update the applications to point to the new encrypted DB instance.
• D. Create an encrypted read replica of the DB instance. Promote the read replica to master. Delete the original DB instance, and update the applications to point to the new encrypted DB instance.

Correct answer: C

Explanation

Option C is correct because it involves creating a snapshot, copying it as an encrypted version, and restoring that to a new DB instance, which is the proper method for ensuring encryption at rest. Option A is incorrect since you cannot enable encryption on an existing DB instance directly. Option B does not mention the step of copying the snapshot into an encrypted version explicitly. Option D, while valid for creating a read replica, does not directly address the need for the original instance to be encrypted at rest.