AWS SAA-C03 #121

A company is running an online transaction processing (OLTP) workload on AWS. This workload uses an unencrypted Amazon RDS DB instance in a Multi-AZ deployment. Daily database snapshots are taken from this instance.

What should a solutions architect do to ensure the database and snapshots are always encrypted moving forward?

A. Encrypt a copy of the latest DB snapshot. Replace existing DB instance by restoring the encrypted snapshot.

B. Create a new encrypted Amazon Elastic Block Store (Amazon EBS) volume and copy the snapshots to it. Enable encryption on the DB instance.

C. Copy the snapshots and enable encryption using AWS Key Management Service (AWS KMS) Restore encrypted snapshot to an existing DB instance.

D. Copy the snapshots to an Amazon S3 bucket that is encrypted using server-side encryption with AWS Key Management Service (AWS KMS) managed keys (SSE-KMS).


The correct answer is A. Encrypt a copy of the latest DB snapshot. Replace existing DB instance by restoring the encrypted snapshot.

Here's why:

  • Amazon RDS does not support encrypting an existing DB instance. Therefore, to encrypt an existing unencrypted DB instance, you must create a snapshot of the DB instance, and then create a copy of that snapshot that is encrypted. You can then restore a DB instance from the encrypted snapshot, and thus you have an encrypted copy of the original DB instance.

  • Options B, C, and D are not valid because they either involve steps that are not supported by AWS or they do not result in an encrypted DB instance.

Remember, it's important to understand the capabilities and limitations of the AWS services you are using to ensure you are implementing solutions that are secure and efficient. If you have any more questions, feel free to ask!

Sure, here's why the other options are incorrect:

  • Option B: Amazon Elastic Block Store (Amazon EBS) and Amazon RDS are different services with different capabilities. Amazon EBS volumes can be encrypted at any time, but Amazon RDS DB instances cannot be encrypted after they are created. Therefore, copying snapshots to an encrypted EBS volume would not result in an encrypted DB instance.

  • Option C: While you can copy a snapshot and enable encryption using AWS Key Management Service (AWS KMS), you cannot restore an encrypted snapshot to an existing DB instance. The existing DB instance would need to be deleted and a new one created from the encrypted snapshot.

  • Option D: Copying the snapshots to an Amazon S3 bucket that is encrypted using server-side encryption with AWS Key Management Service (AWS KMS) managed keys (SSE-KMS) would not result in an encrypted DB instance. Amazon S3 and Amazon RDS are different services and their encryption settings are managed separately.

I hope this clarifies your doubts! If you have any more questions, feel free to ask.

相关推荐
yuzhangfeng9 小时前
【云计算物理网络】从传统网络到SDN:云计算的网络演进之路
网络·云计算
ZStack开发者社区12 小时前
全球化2.0 | ZStack举办香港Partner Day,推动AIOS智塔+DeepSeek海外实践
人工智能·云计算
久违の欢喜20 小时前
《云计算:核心驱动力》
云计算
yuzhangfeng20 小时前
【云计算物理网络】数据中心网络架构设计
网络·云计算
久违の欢喜20 小时前
《云计算:一场静悄悄的革命》
云计算
聚搜云—服务器分享21 小时前
阿里云国际站代理商:模型训练中断数据丢失怎么办?
阿里云·云计算
小哈里1 天前
【运维】云计算的发展历程,云原生时代的运维理念&工具技术栈,高可用系统的云运维 —— 以K8S集群调度算法与命令为例
运维·云原生·kubernetes·云计算·架构设计
TiAmo zhang1 天前
DeepSeek-R1 模型现已在亚马逊云科技上提供
人工智能·云计算·aws