How should the Database Specialist satisfy this new requirement?

By:
In: DBS-C01
Tagged:
With: 1 Comment
A Database Specialist migrated an existing production MySQL database from on-premises to an Amazon RDS for MySQL DB instance.However, after the migration, the database needed to be encrypted at rest using AWS KMS.Due to the size of the database, reloading, the data into an encrypted database would be too time-consuming, so it is not an option.

How should the Database Specialist satisfy this new requirement?

Create a snapshot of the unencrypted RDS DB instance. Create an encrypted copy of the unencrypted snapshot. Restore the encrypted snapshot copy.

Modify the RDS DB instance. Enable the AWS KMS encryption option that leverages the AWS CLI.

Restore an unencrypted snapshot into a MySQL RDS DB instance that is encrypted.

Create an encrypted read replica of the RDS DB instance. Promote it the master.

Explanations:

Creating a snapshot of the unencrypted RDS instance and then copying it as an encrypted snapshot is the correct approach. The encrypted copy can then be restored.

Modifying an existing RDS instance to enable encryption at rest is not possible. The database must be restored from an encrypted snapshot, not modified directly.

Restoring an unencrypted snapshot into an encrypted RDS instance is not valid. The instance must come from an encrypted snapshot.

Creating an encrypted read replica and promoting it to master is not a viable solution to enable encryption at rest on the original DB instance. The read replica must be from an encrypted source.

2025-10-01

1 Comment

  1. Mark
    Author

    I plot that the answer is:
    Create a snapshot of the unencrypted RDS DB instance. Create an encrypted copy of the unencrypted snapshot. Restore the encrypted snapshot copy.

Leave a Reply

Your email address will not be published. Required fields are marked *

3 × two =