AWS SAA-C03 #121

A company is running an online transaction processing (OLTP) workload on AWS. This workload uses an unencrypted Amazon RDS DB instance in a Multi-AZ deployment. Daily database snapshots are taken from this instance.

What should a solutions architect do to ensure the database and snapshots are always encrypted moving forward?

A. Encrypt a copy of the latest DB snapshot. Replace existing DB instance by restoring the encrypted snapshot.

B. Create a new encrypted Amazon Elastic Block Store (Amazon EBS) volume and copy the snapshots to it. Enable encryption on the DB instance.

C. Copy the snapshots and enable encryption using AWS Key Management Service (AWS KMS) Restore encrypted snapshot to an existing DB instance.

D. Copy the snapshots to an Amazon S3 bucket that is encrypted using server-side encryption with AWS Key Management Service (AWS KMS) managed keys (SSE-KMS).


The correct answer is A. Encrypt a copy of the latest DB snapshot. Replace existing DB instance by restoring the encrypted snapshot.

Here's why:

  • Amazon RDS does not support encrypting an existing DB instance. Therefore, to encrypt an existing unencrypted DB instance, you must create a snapshot of the DB instance, and then create a copy of that snapshot that is encrypted. You can then restore a DB instance from the encrypted snapshot, and thus you have an encrypted copy of the original DB instance.

  • Options B, C, and D are not valid because they either involve steps that are not supported by AWS or they do not result in an encrypted DB instance.

Remember, it's important to understand the capabilities and limitations of the AWS services you are using to ensure you are implementing solutions that are secure and efficient. If you have any more questions, feel free to ask!

Sure, here's why the other options are incorrect:

  • Option B: Amazon Elastic Block Store (Amazon EBS) and Amazon RDS are different services with different capabilities. Amazon EBS volumes can be encrypted at any time, but Amazon RDS DB instances cannot be encrypted after they are created. Therefore, copying snapshots to an encrypted EBS volume would not result in an encrypted DB instance.

  • Option C: While you can copy a snapshot and enable encryption using AWS Key Management Service (AWS KMS), you cannot restore an encrypted snapshot to an existing DB instance. The existing DB instance would need to be deleted and a new one created from the encrypted snapshot.

  • Option D: Copying the snapshots to an Amazon S3 bucket that is encrypted using server-side encryption with AWS Key Management Service (AWS KMS) managed keys (SSE-KMS) would not result in an encrypted DB instance. Amazon S3 and Amazon RDS are different services and their encryption settings are managed separately.

I hope this clarifies your doubts! If you have any more questions, feel free to ask.

相关推荐
Database_Cool_11 小时前
日志存储降本首选:阿里云 Lindorm 冷热分层替代 Elasticsearch
elasticsearch·阿里云·云计算
胖胖雕1 天前
利用阿里云与docker部署Certimate
阿里云·docker·云计算
AliCloudROS2 天前
一次真实录屏:我只说每月别超过 200 块,小程序后端就搭好了
运维·人工智能·云计算
buligbulig2 天前
如何在云计算中使用虚拟磁盘?
云计算
赛博三把手2 天前
Claude Fable 5 API 调用完整指南:官方、AWS、OpenRouter 与中转平台对比(2026 最新)
网络·云计算·aws
weixin_462901972 天前
从零跑通:阿里云 ECS + 百炼 MaaS 大模型答题卡识别全流程
阿里云·云计算
tiancaijiben2 天前
阿里云ECS云服务器部署Vue打包静态网站:Nginx路由重定向完整配置
云计算
我是伪码农3 天前
页面ai调用(阿里云)
阿里云·云计算
爆落千玄3 天前
从0训练LLM原理解析
阿里云·云计算
淘源码A4 天前
多院区集团化云PACS系统源码,原生兼容国产软硬件环境
java·云计算·源码·saas·pacs·医学影像系统