AWS Certified SysOps Administrator – Associate (legacy) — Question 875

A database is running on an Amazon RDS Multi-AZ DB instance. A recent security audit found the database to be out of compliance because it was not encrypted.
Which approach will resolve the encryption requirement?

Answer options

• A. Log in to the RDS console and select the encryption box to encrypt the database.
• B. Create a new encrypted Amazon EBS volume and attach it to the instance.
• C. Encrypt the standby replica in the secondary Availability Zone and promote it to the primary instance.
• D. Take a snapshot of the RDS instance, copy and encrypt the snapshot, and then restore to the new RDS instance.

Correct answer: D

Explanation

Amazon RDS does not support enabling encryption directly on an existing unencrypted DB instance. To resolve this, you must take a snapshot of the instance, copy it to create an encrypted version of the snapshot, and then restore that encrypted snapshot to a new RDS instance. Other methods, such as modifying the instance directly or trying to attach EBS volumes manually, are not supported for enabling RDS encryption.