What should a solutions architect do to ensure the database and snapshots are always encrypted moving forward?
Encrypt a copy of the latest DB snapshot. Replace existing DB instance by restoring the encrypted snapshot.
Create a new encrypted Amazon Elastic Block Store (Amazon EBS) volume and copy the snapshots to it. Enable encryption on the DB instance.
Copy the snapshots and enable encryption using AWS Key Management Service (AWS KMS) Restore encrypted snapshot to an existing DB instance.
Copy the snapshots to an Amazon S3 bucket that is encrypted using server-side encryption with AWS Key Management Service (AWS KMS) managed keys (SSE-KMS).
Explanations:
Encrypting a copy of the latest DB snapshot and restoring it creates a new encrypted RDS instance, ensuring both the database and its snapshots are encrypted. This is the correct approach to transition an existing unencrypted instance to an encrypted one.
Creating a new encrypted Amazon EBS volume does not directly encrypt the RDS instance or its snapshots. RDS instances cannot be directly attached to EBS volumes as standalone volumes, making this approach invalid for ensuring encryption of the RDS database.
While copying the snapshots and enabling encryption with AWS KMS sounds valid, it does not directly address the need to ensure the original database is encrypted. Simply restoring to an existing DB instance would not guarantee that the database itself is encrypted, as the original instance remains unencrypted.
Copying snapshots to an S3 bucket with server-side encryption does not ensure that the RDS instance and its snapshots are encrypted at the database level. This approach only encrypts the storage but does not apply encryption to the RDS database itself.
I have a feeling that the answer is:
Encrypt a copy of the latest DB snapshot. Replace existing DB instance by restoring the encrypted snapshot.