AWS SAA-C03 #121

A company is running an online transaction processing (OLTP) workload on AWS. This workload uses an unencrypted Amazon RDS DB instance in a Multi-AZ deployment. Daily database snapshots are taken from this instance.

What should a solutions architect do to ensure the database and snapshots are always encrypted moving forward?

A. Encrypt a copy of the latest DB snapshot. Replace existing DB instance by restoring the encrypted snapshot.

B. Create a new encrypted Amazon Elastic Block Store (Amazon EBS) volume and copy the snapshots to it. Enable encryption on the DB instance.

C. Copy the snapshots and enable encryption using AWS Key Management Service (AWS KMS) Restore encrypted snapshot to an existing DB instance.

D. Copy the snapshots to an Amazon S3 bucket that is encrypted using server-side encryption with AWS Key Management Service (AWS KMS) managed keys (SSE-KMS).


The correct answer is A. Encrypt a copy of the latest DB snapshot. Replace existing DB instance by restoring the encrypted snapshot.

Here's why:

  • Amazon RDS does not support encrypting an existing DB instance. Therefore, to encrypt an existing unencrypted DB instance, you must create a snapshot of the DB instance, and then create a copy of that snapshot that is encrypted. You can then restore a DB instance from the encrypted snapshot, and thus you have an encrypted copy of the original DB instance.

  • Options B, C, and D are not valid because they either involve steps that are not supported by AWS or they do not result in an encrypted DB instance.

Remember, it's important to understand the capabilities and limitations of the AWS services you are using to ensure you are implementing solutions that are secure and efficient. If you have any more questions, feel free to ask!

Sure, here's why the other options are incorrect:

  • Option B: Amazon Elastic Block Store (Amazon EBS) and Amazon RDS are different services with different capabilities. Amazon EBS volumes can be encrypted at any time, but Amazon RDS DB instances cannot be encrypted after they are created. Therefore, copying snapshots to an encrypted EBS volume would not result in an encrypted DB instance.

  • Option C: While you can copy a snapshot and enable encryption using AWS Key Management Service (AWS KMS), you cannot restore an encrypted snapshot to an existing DB instance. The existing DB instance would need to be deleted and a new one created from the encrypted snapshot.

  • Option D: Copying the snapshots to an Amazon S3 bucket that is encrypted using server-side encryption with AWS Key Management Service (AWS KMS) managed keys (SSE-KMS) would not result in an encrypted DB instance. Amazon S3 and Amazon RDS are different services and their encryption settings are managed separately.

I hope this clarifies your doubts! If you have any more questions, feel free to ask.

相关推荐
Johny_Zhao11 小时前
OpenStack 全套搭建部署指南(基于 Kolla-Ansible)
linux·python·信息安全·云计算·openstack·shell·yum源·系统运维
AI_CPU_GPU_Cloud16 小时前
云计算市场的重新分类研究
云计算
唐僧洗头爱飘柔952717 小时前
(云计算HCIP)HCIP全笔记(九)本篇介绍操作系统基础,内容包含:操作系统组成、分类和定义,Linux的特性结构和Linux版本分类
linux·笔记·华为云·云计算·hcip·openeuler·操作系统概述
阻容降压18 小时前
腾讯云物联网平台
云计算·腾讯云
24k小善19 小时前
FlinkUpsertKafka深度解析
java·大数据·flink·云计算
SAP工博科技20 小时前
深圳市富力达:SAP一体化管理助力精密制造升级 | 工博科技SAP客户案例
科技·云计算·制造
阿里云大数据AI技术1 天前
演讲实录:中小企业如何快速构建AI应用?
大数据·人工智能·云计算
@t.t.1 天前
利用脚本搭建私有云平台,部署云平台,发布云主机并实现互连和远程连接
运维·云计算·openstack
国际云,接待1 天前
腾讯云国际版服务器从注册到使用的完整流程指南
运维·服务器·阿里云·架构·云计算·腾讯云·csdn开发云
泛黄的咖啡店1 天前
域名系统DNS
运维·云计算