SAA-C03 · Question #442
SAA-C03 Question #442: Real Exam Question with Answer & Explanation
The correct answer is B: Create a snapshot of the DB instance. Create an encrypted copy of the snapshot. Use the. Amazon RDS does not support enabling encryption at rest on an existing unencrypted DB instance. To encrypt an existing RDS instance's data at rest, the recommended method is to: Take a snapshot of the unencrypted DB instance. Create an encrypted copy of the snapshot using AWS KMS
Question
A company has an application that uses an Amazon RDS for PostgreSQL database. The company is developing an application feature that will store sensitive information for an individual in the database. During a security review of the environment, the company discovers that the RDS DB instance is not encrypting data at rest. The company needs a solution that will provide encryption at rest for all the existing data and for any new data that is entered for an individual. Which combination of steps should the company take to meet these requirements? (Select TWO.)
Options
- ACreate a snapshot of the DB instance. Enable encryption on the snapshot. Use the encrypted
- BCreate a snapshot of the DB instance. Create an encrypted copy of the snapshot. Use the
- CModify the configuration of the DB instance by enabling encryption. Create a snapshot of the DB
- DUse AWS Key Management Service (AWS KMS) to create a new default AWS managed aws/rds
- EUse AWS Key Management Service (AWS KMS) to create a new customer managed key. Select
Explanation
Amazon RDS does not support enabling encryption at rest on an existing unencrypted DB instance. To encrypt an existing RDS instance's data at rest, the recommended method is to: Take a snapshot of the unencrypted DB instance. Create an encrypted copy of the snapshot using AWS KMS. This encrypted snapshot contains the existing data encrypted at rest. Restore a new DB instance from the encrypted snapshot. This new instance will have encryption at rest enabled. Additionally, to manage encryption keys securely, companies can use customer managed keys (CMKs) in AWS Key Management Service (KMS). CMKs provide greater control over key management policies, rotation, and usage permissions compared to default AWS managed keys. Using a CMK allows customization of access control and auditability. Option A is incorrect because you cannot enable encryption directly on a snapshot; you must create an encrypted copy. Option C is invalid because encryption cannot be enabled by modifying an existing instance's Option D refers to the default AWS managed key, which is less flexible than customer managed
Community Discussion
No community discussion yet for this question.