What should be done to enable encryption for future backups?

By:
In: SAA-C02
Tagged:
With: 1 Comment
A company currently operates a web application backed by an Amazon RDS MySQL database.It has automated backups that are run daily and are not encrypted.A security audit requires future backups to be encrypted and the unencrypted backups to be destroyed.The company will make at least one encrypted backup before destroying the old backups.

What should be done to enable encryption for future backups?

Enable default encryption for the Amazon S3 bucket where backups are stored.

Modify the backup section of the database configuration to toggle the Enable encryption check box.

Create a snapshot of the database. Copy it to an encrypted snapshot. Restore the database from the encrypted snapshot.

Enable an encrypted read replica on RDS for MySQL. Promote the encrypted read replica to primary. Remove the original database instance.

Explanations:

Enabling default encryption for the Amazon S3 bucket does not directly affect the database backups. RDS backups are not stored in S3 in a manner where bucket settings apply.

There is no specific “Enable encryption” checkbox in the RDS MySQL configuration for backups. Backup encryption is managed through the snapshot and backup settings.

Creating a snapshot of the database and copying it to an encrypted snapshot enables encryption for future backups. This is the correct method to ensure backups are encrypted moving forward.

Enabling an encrypted read replica and promoting it to primary would not directly address the backup encryption requirement. This option focuses on instance replication rather than backup encryption.

2025-10-05

1 Comment

  1. Lawrence
    Author

    I deduce that the answer is:
    Create a snapshot of the database. Copy it to an encrypted snapshot. Restore the database from the encrypted snapshot.

Leave a Reply

Your email address will not be published. Required fields are marked *

12 − three =