How should this be accomplished?
Create an Amazon S3 bucket with server-side encryption enabled. Move all the data to Amazon S3. Delete the RDS instance.
Enable RDS Multi-AZ mode with encryption at rest enabled. Perform a failover to the standby instance to delete the original instance.
Take a Snapshot of the RDS instance. Create an encrypted copy of the snapshot. Restore the RDS instance from the encrypted snapshot.
Create an RDS read replica with encryption at rest enabled. Promote the read replica to master and switch the application over to the new master. Delete the old RDS instance.
Explanations:
This option suggests moving data to Amazon S3, which does not address the need for encryption of the existing RDS instance directly. Deleting the RDS instance would result in loss of data stored in the database.
Enabling Multi-AZ mode provides high availability but does not directly add encryption to the existing instance. Failover would not make the data encrypted, as it does not modify the original instance.
Taking a snapshot of the RDS instance and creating an encrypted copy allows for encryption to be applied. Restoring from the encrypted snapshot results in a new instance with the required encryption, meeting compliance needs.
Creating a read replica with encryption does not encrypt the existing master instance directly. Promoting the replica to master would result in an encrypted instance, but it does not address the initial requirement for encrypting existing data in the original instance.
I weigh that the answer is:
Take a Snapshot of the RDS instance. Create an encrypted copy of the snapshot. Restore the RDS instance from the encrypted snapshot.
I would say the answer is:
Take a Snapshot of the RDS instance. Create an encrypted copy of the snapshot. Restore the RDS instance from the encrypted snapshot.