What should the database specialist do to enable encryption at rest for the Amazon DocumentDB cluster?
Take a snapshot of the Amazon DocumentDB cluster. Restore the unencrypted snapshot as a new cluster while specifying the encryption option, and provide an AWS Key Management Service (AWS KMS) key.
Enable encryption for the Amazon DocumentDB cluster on the AWS Management Console. Reboot the cluster.
Modify the Amazon DocumentDB cluster by using the modify-db-cluster command with the –storage-encrypted parameter set to true.
Add a new encrypted instance to the Amazon DocumentDB cluster, and then delete an unencrypted instance from the cluster. Repeat until all instances are encrypted.
Explanations:
Encryption at rest cannot be enabled on an existing unencrypted cluster directly. Taking a snapshot and restoring it with encryption enabled is the correct approach.
Encryption cannot be enabled on an existing cluster by simply modifying the cluster through the console or rebooting it.
The modify-db-cluster command cannot enable encryption on an already existing unencrypted cluster. Encryption must be specified at the time of cluster creation or during restoration from a snapshot.
Adding and deleting instances will not enable encryption for the entire cluster. Encryption must be enabled during cluster creation or by restoring from an encrypted snapshot.