AWS Certified Solutions Architect – Associate (SAA-C03) — Question 432

A company wants to share accounting data with an external auditor. The data is stored in an Amazon RDS DB instance that resides in a private subnet. The auditor has its own AWS account and requires its own copy of the database.

What is the MOST secure way for the company to share the database with the auditor?

Answer options

• A. Create a read replica of the database. Configure IAM standard database authentication to grant the auditor access.
• B. Export the database contents to text files. Store the files in an Amazon S3 bucket. Create a new IAM user for the auditor. Grant the user access to the S3 bucket.
• C. Copy a snapshot of the database to an Amazon S3 bucket. Create an IAM user. Share the user's keys with the auditor to grant access to the object in the S3 bucket.
• D. Create an encrypted snapshot of the database. Share the snapshot with the auditor. Allow access to the AWS Key Management Service (AWS KMS) encryption key.

Correct answer: D

Explanation

Sharing an encrypted Amazon RDS snapshot directly with the auditor's AWS account and granting cross-account access to the custom AWS KMS key is the most secure and AWS-recommended method for copying databases. Options B and C are insecure because they involve exporting unencrypted or raw data, and sharing IAM credentials violates security best practices. Option A is incorrect because a read replica in a private subnet cannot be easily or securely accessed across different AWS accounts without complex networking, and it does not give the auditor their own independent copy.