AWS Certified SysOps Administrator – Associate — Question 45

A database is running on an Amazon RDS Multi-AZ DB instance. A recent security audit found the database to be out of compliance because it was not encrypted.

Which approach will resolve the encryption requirement?

Answer options

• A. Log in to the RDS console and select the encryption box to encrypt the database.
• B. Create a new encrypted Amazon EBS volume and attach it to the instance.
• C. Encrypt the standby replica in the secondary Availability Zone and promote it to the primary instance.
• D. Take a snapshot of the RDS instance, copy and encrypt the snapshot, and then restore to the new RDS instance.

Correct answer: D

Explanation

The correct answer is D because taking a snapshot allows you to create an encrypted copy of the database, which can then be restored as a new RDS instance. Option A is incorrect because you cannot simply enable encryption on an existing RDS instance. Option B does not address the database encryption directly, and option C is misleading as it suggests promoting an already encrypted standby, which is not how encryption is applied to the primary instance.