AWS Certified Security – Specialty — Question 411
A company released a new software-as-a-service (SaaS) application that is receiving significant adoption by end users. The rds-storage-encrypted AWS Config managed rule generates an alert that notifies the company’s security team about a resource that is not compliant. The noncompliant resource is an Amazon RDS for MySQL database that was deployed as part of the newly released application.
How can the security team resolve the noncompliance with the LEAST disruption of application availability for the end users?
Answer options
- A. Use AWS Database Migration Service (AWS DMS) with full load and change data capture (CDC) between the noncompliant database and a new database with storage encrypted. When full load is finished, cut over any application endpoints to the new encrypted database.
- B. Create a snapshot of the noncompliant DB instance. Make a copy of the snapshot in the same AWS Region with encryption configured. Restore the snapshot as a new DB instance. Cut over any application endpoints to the newly restored database.
- C. Deploy a patch to the application to stop writing to the noncompliant database. Enable storage encryption by using the AWS CLI. Patch the application again to restore writing to the database.
- D. Add a read replica to the noncompliant DB instance. Enable storage encryption on the read replica. When the read replica is available, cut over from the writer DB instance to the read replica. Delete the unencrypted DB instance after the cutover.
Correct answer: A
Explanation
AWS RDS does not support enabling encryption directly on an existing unencrypted database instance, nor does it allow creating an encrypted read replica from an unencrypted primary instance, which rules out options C and D. While restoring from an encrypted snapshot copy as described in option B is a valid way to encrypt a database, it requires significant downtime to avoid data loss during the snapshot and restore process. Using AWS DMS with full load and Change Data Capture (CDC) allows the unencrypted and encrypted databases to stay synchronized in real-time, enabling a near-zero downtime cutover.