How should the SysOps administrator accomplish this goal?
Copy the data volumes of the unencrypted instance. Apply the KMS key to the copied data volumes. Start the instance with the encrypted volumes.
Create a read replica of the unencrypted instance. Encrypt the read replica with the KMS key. Promote the read replica to become the primary instance.
Take a snapshot of the unencrypted instance. Apply the KMS key to the existing instance using the modify-db-instance command. Restart the instance.
Take a snapshot of the unencrypted instance. Create an encrypted copy of the snapshot with the KMS key. Restore the instance from the encrypted snapshot.
Explanations:
You cannot apply a KMS key directly to existing data volumes. Encrypted volumes must be created from an encrypted snapshot or read replica.
While creating a read replica is a valid approach, it cannot directly encrypt the primary instance. After promoting the replica, the original instance remains unencrypted.
You cannot apply a KMS key to an existing unencrypted DB instance using themodify-db-instancecommand. Encryption requires creating a new encrypted copy of the data.
This is the correct approach. After taking a snapshot of the unencrypted instance, you can create an encrypted copy of the snapshot using the KMS key and restore the DB instance from that encrypted snapshot.
I opine that the answer is:
Take a snapshot of the unencrypted instance. Create an encrypted copy of the snapshot with the KMS key. Restore the instance from the encrypted snapshot.