AWS SAA-C03 #121

A company is running an online transaction processing (OLTP) workload on AWS. This workload uses an unencrypted Amazon RDS DB instance in a Multi-AZ deployment. Daily database snapshots are taken from this instance.

What should a solutions architect do to ensure the database and snapshots are always encrypted moving forward?

A. Encrypt a copy of the latest DB snapshot. Replace existing DB instance by restoring the encrypted snapshot.

B. Create a new encrypted Amazon Elastic Block Store (Amazon EBS) volume and copy the snapshots to it. Enable encryption on the DB instance.

C. Copy the snapshots and enable encryption using AWS Key Management Service (AWS KMS) Restore encrypted snapshot to an existing DB instance.

D. Copy the snapshots to an Amazon S3 bucket that is encrypted using server-side encryption with AWS Key Management Service (AWS KMS) managed keys (SSE-KMS).


The correct answer is A. Encrypt a copy of the latest DB snapshot. Replace existing DB instance by restoring the encrypted snapshot.

Here's why:

  • Amazon RDS does not support encrypting an existing DB instance. Therefore, to encrypt an existing unencrypted DB instance, you must create a snapshot of the DB instance, and then create a copy of that snapshot that is encrypted. You can then restore a DB instance from the encrypted snapshot, and thus you have an encrypted copy of the original DB instance.

  • Options B, C, and D are not valid because they either involve steps that are not supported by AWS or they do not result in an encrypted DB instance.

Remember, it's important to understand the capabilities and limitations of the AWS services you are using to ensure you are implementing solutions that are secure and efficient. If you have any more questions, feel free to ask!

Sure, here's why the other options are incorrect:

  • Option B: Amazon Elastic Block Store (Amazon EBS) and Amazon RDS are different services with different capabilities. Amazon EBS volumes can be encrypted at any time, but Amazon RDS DB instances cannot be encrypted after they are created. Therefore, copying snapshots to an encrypted EBS volume would not result in an encrypted DB instance.

  • Option C: While you can copy a snapshot and enable encryption using AWS Key Management Service (AWS KMS), you cannot restore an encrypted snapshot to an existing DB instance. The existing DB instance would need to be deleted and a new one created from the encrypted snapshot.

  • Option D: Copying the snapshots to an Amazon S3 bucket that is encrypted using server-side encryption with AWS Key Management Service (AWS KMS) managed keys (SSE-KMS) would not result in an encrypted DB instance. Amazon S3 and Amazon RDS are different services and their encryption settings are managed separately.

I hope this clarifies your doubts! If you have any more questions, feel free to ask.

相关推荐
Love__Tay18 小时前
笔记/云计算基础
笔记·学习·云计算
学术小八18 小时前
第二届云计算与大数据国际学术会议(ICCBD 2025)
大数据·云计算
容器魔方18 小时前
中选名单出炉|18位学生入选开源之夏KubeEdge课题,欢迎加入!
云原生·容器·云计算
Johny_Zhao1 天前
Docker + CentOS 部署 Zookeeper 集群 + Kubernetes Operator 自动化运维方案
linux·网络安全·docker·信息安全·zookeeper·kubernetes·云计算·系统运维
鸭鸭鸭进京赶烤1 天前
大学专业科普 | 云计算、大数据
大数据·云计算
SH11HF1 天前
小菜狗的云计算之旅,学习了解rsync+sersync实现数据实时同步(详细操作步骤)
学习·云计算
搞笑的秀儿2 天前
信息新技术
大数据·人工智能·物联网·云计算·区块链
SelectDB2 天前
SelectDB 在 AWS Graviton ARM 架构下相比 x86 实现 36% 性价比提升
大数据·架构·aws
泊浮目2 天前
未来数据库硬件-网络篇
数据库·架构·云计算
运维开发王义杰2 天前
金融安全生命线:用AWS EventBridge和CloudTrail构建主动式入侵检测系统
安全·金融·aws