AWS Certified SysOps Administrator – Associate (legacy) — Question 639

A SysOps administrator wants to encrypt an existing Amazon RDS DB instance with AWS Key Management Service (AWS KMS).
How should the SysOps administrator accomplish this goal?

Answer options

• A. Copy the data volumes of the unencrypted instance. Apply the KMS key to the copied data volumes. Start the instance with the encrypted volumes.
• B. Create a read replica of the unencrypted instance. Encrypt the read replica with the KMS key. Promote the read replica to become the primary instance.
• C. Take a snapshot of the unencrypted instance. Apply the KMS key to the existing instance using the modify-db-instance command. Restart the instance.
• D. Take a snapshot of the unencrypted instance. Create an encrypted copy of the snapshot with the KMS key. Restore the instance from the encrypted snapshot.

Correct answer: A

Explanation

Option A is the correct choice as it describes the process of copying and applying the KMS key to the underlying data volumes to start the instance securely. Option B is incorrect because you cannot create an encrypted read replica from an unencrypted database instance. Options C and D are incorrect because you cannot directly modify an existing unencrypted instance to become encrypted using the modify-db-instance command.