AWS Certified Solutions Architect – Associate (SAA-C02) — Question 30

A company currently operates a web application backed by an Amazon RDS MySQL database. It has automated backups that are run daily and are not encrypted. A security audit requires future backups to be encrypted and the unencrypted backups to be destroyed. The company will make at least one encrypted backup before destroying the old backups.
What should be done to enable encryption for future backups?

Answer options

• A. Enable default encryption for the Amazon S3 bucket where backups are stored.
• B. Modify the backup section of the database configuration to toggle the Enable encryption check box.
• C. Create a snapshot of the database. Copy it to an encrypted snapshot. Restore the database from the encrypted snapshot.
• D. Enable an encrypted read replica on RDS for MySQL. Promote the encrypted read replica to primary. Remove the original database instance.

Correct answer: C

Explanation

The correct answer is C because creating an encrypted snapshot allows the company to secure future backups while ensuring compliance with the security audit. The other options do not directly address the need for encrypted backups; for example, enabling S3 bucket encryption (A) does not apply to database backups, and modifying configuration settings (B) does not provide an immediate solution for existing data. Option D involves unnecessary complexity and does not focus on the backup process.