Which approach will resolve the encryption requirement?

By:
In: SOA-C02
Tagged:
With: 1 Comment
A database is running on an Amazon RDS Multi-AZ DB instance.A recent security audit found the database to be out of compliance because it was not encrypted.

Which approach will resolve the encryption requirement?

Log in to the RDS console and select the encryption box to encrypt the database.

Create a new encrypted Amazon EBS volume and attach it to the instance.

Encrypt the standby replica in the secondary Availability Zone and promote it to the primary instance.

Take a snapshot of the RDS instance, copy and encrypt the snapshot, and then restore to the new RDS instance.

Explanations:

You cannot enable encryption on an existing RDS instance directly through the console after it has been created. Encryption must be set at the time of instance creation.

Creating a new encrypted Amazon EBS volume and attaching it to the instance is not applicable for RDS instances, as RDS manages the underlying storage and does not allow for direct EBS volume manipulation.

Encrypting only the standby replica does not ensure that the primary instance becomes encrypted. Additionally, RDS does not support promoting a standby instance to primary if the encryption configuration is different.

This approach is valid. You can take a snapshot of the existing unencrypted RDS instance, copy that snapshot with encryption enabled, and then restore it to create a new encrypted RDS instance, satisfying the encryption requirement.

2025-10-17

1 Comment

  1. Amy
    Author

    I calculate that the answer is:
    Take a snapshot of the RDS instance, copy and encrypt the snapshot, and then restore to the new RDS instance.

Leave a Reply

Your email address will not be published. Required fields are marked *

5 × 2 =