How should the Database Specialist satisfy this new requirement?
Create a snapshot of the unencrypted RDS DB instance. Create an encrypted copy of the unencrypted snapshot. Restore the encrypted snapshot copy.
Modify the RDS DB instance. Enable the AWS KMS encryption option that leverages the AWS CLI.
Restore an unencrypted snapshot into a MySQL RDS DB instance that is encrypted.
Create an encrypted read replica of the RDS DB instance. Promote it the master.
Explanations:
Creating a snapshot of the unencrypted RDS instance and then copying it as an encrypted snapshot is the correct approach. The encrypted copy can then be restored.
Modifying an existing RDS instance to enable encryption at rest is not possible. The database must be restored from an encrypted snapshot, not modified directly.
Restoring an unencrypted snapshot into an encrypted RDS instance is not valid. The instance must come from an encrypted snapshot.
Creating an encrypted read replica and promoting it to master is not a viable solution to enable encryption at rest on the original DB instance. The read replica must be from an encrypted source.
I plot that the answer is:
Create a snapshot of the unencrypted RDS DB instance. Create an encrypted copy of the unencrypted snapshot. Restore the encrypted snapshot copy.