Which actions should the database specialist take to meet these requirements?
(Choose two.)
Download the SSH RSA public key for Amazon DocumentDB. Update the application configuration to use the instance endpoint instead of the cluster endpoint and run queries over SSH.
Download the SSL .pem public key for Amazon DocumentDAdd the key to the application package and make sure the application is using the key while connecting to the cluster.
Create a snapshot of the unencrypted cluster. Restore the unencrypted snapshot as a new cluster with the –storage-encrypted parameter set to true. Update the application to point to the new cluster.
Create an Amazon DocumentDB VPC endpoint to prevent the traffic from going to the Amazon DocumentDB public endpoint. Set a VPC endpoint policy to allow only the application instance’s security group to connect.
Activate encryption at rest using the modify-db-cluster command with the –storage-encrypted parameter set to true. Set the security group of the cluster to allow only the application instance’s security group to connect.
Explanations:
Using SSH with the instance endpoint does not encrypt the traffic to DocumentDB. Additionally, SSH tunneling is not a standard method for securing MongoDB-compatible connections, and DocumentDB supports TLS/SSL for encryption in transit, which should be used instead.
Downloading the SSL .pem public key and ensuring that the application uses it to connect to the DocumentDB cluster allows for encryption of data in transit. This is the appropriate method to secure the connection between the application and DocumentDB using TLS/SSL.
While creating a snapshot and restoring it with encryption is a valid method for addressing data at rest encryption, the method described does not address the encryption of data in transit, which is also a requirement. Additionally, modifying the cluster to enable encryption at rest should be done through specific commands during creation rather than as described.
Creating a VPC endpoint to connect to DocumentDB improves security by keeping traffic within the AWS network, but it does not directly address encryption of data in transit or at rest. It also requires a correctly configured security group to function properly, which is not mentioned.
Activating encryption at rest with the modify-db-cluster command is a valid step for ensuring data at rest is encrypted, but it does not address the requirement for encrypting data in transit, which is equally important in this scenario.