AWS Certified Solutions Architect – Associate (SAA-C02) — Question 10

A company's legacy application is currently relying on a single-instance Amazon RDS MySQL database without encryption. Due to new compliance requirements, all existing and new data in this database must be encrypted.
How should this be accomplished?

Answer options

• A. Create an Amazon S3 bucket with server-side encryption enabled. Move all the data to Amazon S3. Delete the RDS instance.
• B. Enable RDS Multi-AZ mode with encryption at rest enabled. Perform a failover to the standby instance to delete the original instance.
• C. Take a Snapshot of the RDS instance. Create an encrypted copy of the snapshot. Restore the RDS instance from the encrypted snapshot.
• D. Create an RDS read replica with encryption at rest enabled. Promote the read replica to master and switch the application over to the new master. Delete the old RDS instance.

Correct answer: C

Explanation

The correct answer is C because taking a snapshot and creating an encrypted copy allows for the existing data to be safely transitioned to an encrypted state while preserving the database's integrity. Option A is incorrect as moving data to S3 does not keep the application functional; option B does not ensure data encryption for the original instance; and option D involves unnecessary complexity by using a read replica instead of directly encrypting the existing instance.