AWS Certified Solutions Architect – Associate (SAA-C03) — Question 117

A company is running an online transaction processing (OLTP) workload on AWS. This workload uses an unencrypted Amazon RDS DB instance in a Multi-AZ deployment. Daily database snapshots are taken from this instance.
What should a solutions architect do to ensure the database and snapshots are always encrypted moving forward?

Answer options

• A. Encrypt a copy of the latest DB snapshot. Replace existing DB instance by restoring the encrypted snapshot.
• B. Create a new encrypted Amazon Elastic Block Store (Amazon EBS) volume and copy the snapshots to it. Enable encryption on the DB instance.
• C. Copy the snapshots and enable encryption using AWS Key Management Service (AWS KMS) Restore encrypted snapshot to an existing DB instance.
• D. Copy the snapshots to an Amazon S3 bucket that is encrypted using server-side encryption with AWS Key Management Service (AWS KMS) managed keys (SSE-KMS).

Correct answer: A

Explanation

The correct answer is A because encrypting a copy of the latest DB snapshot and restoring it replaces the unencrypted instance with an encrypted version, ensuring future operations are secure. The other options do not provide a direct solution to encrypt the existing DB instance; they either involve creating new volumes or copying snapshots without directly addressing the database instance encryption.