AWS SAA-C03 #121

A company is running an online transaction processing (OLTP) workload on AWS. This workload uses an unencrypted Amazon RDS DB instance in a Multi-AZ deployment. Daily database snapshots are taken from this instance.

What should a solutions architect do to ensure the database and snapshots are always encrypted moving forward?

A. Encrypt a copy of the latest DB snapshot. Replace existing DB instance by restoring the encrypted snapshot.

B. Create a new encrypted Amazon Elastic Block Store (Amazon EBS) volume and copy the snapshots to it. Enable encryption on the DB instance.

C. Copy the snapshots and enable encryption using AWS Key Management Service (AWS KMS) Restore encrypted snapshot to an existing DB instance.

D. Copy the snapshots to an Amazon S3 bucket that is encrypted using server-side encryption with AWS Key Management Service (AWS KMS) managed keys (SSE-KMS).


The correct answer is A. Encrypt a copy of the latest DB snapshot. Replace existing DB instance by restoring the encrypted snapshot.

Here's why:

  • Amazon RDS does not support encrypting an existing DB instance. Therefore, to encrypt an existing unencrypted DB instance, you must create a snapshot of the DB instance, and then create a copy of that snapshot that is encrypted. You can then restore a DB instance from the encrypted snapshot, and thus you have an encrypted copy of the original DB instance.

  • Options B, C, and D are not valid because they either involve steps that are not supported by AWS or they do not result in an encrypted DB instance.

Remember, it's important to understand the capabilities and limitations of the AWS services you are using to ensure you are implementing solutions that are secure and efficient. If you have any more questions, feel free to ask!

Sure, here's why the other options are incorrect:

  • Option B: Amazon Elastic Block Store (Amazon EBS) and Amazon RDS are different services with different capabilities. Amazon EBS volumes can be encrypted at any time, but Amazon RDS DB instances cannot be encrypted after they are created. Therefore, copying snapshots to an encrypted EBS volume would not result in an encrypted DB instance.

  • Option C: While you can copy a snapshot and enable encryption using AWS Key Management Service (AWS KMS), you cannot restore an encrypted snapshot to an existing DB instance. The existing DB instance would need to be deleted and a new one created from the encrypted snapshot.

  • Option D: Copying the snapshots to an Amazon S3 bucket that is encrypted using server-side encryption with AWS Key Management Service (AWS KMS) managed keys (SSE-KMS) would not result in an encrypted DB instance. Amazon S3 and Amazon RDS are different services and their encryption settings are managed separately.

I hope this clarifies your doubts! If you have any more questions, feel free to ask.

相关推荐
运维成长记30 分钟前
阿里云错题集分享
阿里云·云计算
云资源服务商32 分钟前
探秘阿里云消息队列:解锁分布式系统的异步通信奥秘
阿里云·中间件·云计算
bennybi33 分钟前
阿里云-跨账号同步OSS Bucket
阿里云·云计算
互联网搬砖老肖37 分钟前
运维打铁: 阿里云 ECS 实例的高效运维与管理
运维·阿里云·云计算
xiao5kou4chang6kai44 小时前
Python-GEE遥感云大数据分析与可视化(如何建立基于云计算的森林监测预警系统)
python·数据分析·云计算·森林监测·森林管理
ZStack开发者社区12 小时前
首批 | 云轴科技ZStack加入施耐德电气技术本地化创新生态
人工智能·科技·云计算
爱思德学术15 小时前
中国计算机学会(CCF)推荐学术会议-B(计算机体系结构/并行与分布计算/存储系统):SOCC 2025
网络协议·机器学习·云计算·边缘计算
Britz_Kevin20 小时前
从零开始的云计算生活——番外2,MySQL组复制
数据库·mysql·云计算·生活·#组复制
AKAMAI1 天前
在Akamai平台上进行VOD转码的参考架构
后端·云原生·云计算
科技云报道1 天前
科技云报到:云智融合双buff,AI已开挂
云计算