AWS Certified Solutions Architect – Associate (SAA-C02) — Question 338

A company is running an online transaction processing (OLTP) workload on AWS. This workload uses an unencrypted Amazon RDS DB instance in a Multi-AZ deployment. Daily database snapshots are taken from this instance.
What should a solutions architect do to ensure the database and snapshots are always encrypted moving forward?

Answer options

• A. Encrypt a copy of the latest DB snapshot. Replace existing DB instance by restoring the encrypted snapshot.
• B. Create a new encrypted Amazon Elastic Block Store (Amazon EBS) volume and copy the snapshots to it. Enable encryption on the DB instance.
• C. Copy the snapshots and enable encryption using AWS Key Management Service (AWS KMS). Restore encrypted snapshot to an existing DB instance.
• D. Copy the snapshots to an Amazon S3 bucket that is encrypted using server-side encryption with AWS Key Management Service (AWS KMS) managed keys (SSE-KMS).

Correct answer: A

Explanation

To encrypt an existing unencrypted Amazon RDS DB instance, you must copy a snapshot of the instance, enable encryption during the copy process, and then restore a new DB instance from that encrypted copy. Direct encryption of an existing running unencrypted RDS instance is not supported, nor can you restore an encrypted snapshot into an existing DB instance, which rules out options B and C. Option D only secures the snapshots in Amazon S3 but does not address the active RDS DB instance itself.