A company has an unencrypted Amazon RDS for PostgreSQL database. The security team mandates that the database must be encrypted at rest using AWS KMS.<br/><br/>What is the MOST operationally efficient way to encrypt the existing database?

Answer options:

Modify the existing RDS instance and check the 'Enable Encryption' box.

Take a snapshot of the unencrypted database, copy the snapshot and enable encryption, then restore a new DB instance from the encrypted snapshot.

Create a new encrypted RDS instance and use AWS DMS to migrate the data.

Export the data to S3, encrypt the S3 bucket, and import it into a new RDS instance.

How to approach this question

Remember the snapshot-copy-restore pattern for RDS encryption.

Full Answer

B.Take a snapshot of the unencrypted database, copy the snapshot and enable encryption, then restore a new DB instance from the encrypted snapshot.✓ Correct

You can only enable encryption for an Amazon RDS DB instance when you create it, not after. To encrypt an existing unencrypted instance, you must create a snapshot, copy that snapshot (specifying a KMS key to encrypt the copy), and then restore the encrypted snapshot to a new instance.

Common mistakes

Believing you can just modify the instance to turn on encryption.

Question 17 All questions Question 19

Practice the full AWS SAA-C03 Practice Exam 6

65 questions · hints · full answers · grading

More questions from this exam

Q01A company has multiple AWS accounts in an AWS Organizations organization. The security team wants...Medium Q02A company has two AWS accounts: Account A for development and Account B for production. Developer...Medium Q03A mobile application needs to authenticate users using their social media accounts (Facebook, Goo...Easy Q04A company is running an application on Amazon EC2 instances. The application needs to connect to ...Medium Q05A company has 50 AWS accounts managed by AWS Organizations. The IT team wants to implement a cent...Easy

View all 65 questions →