Which combination of actions should a database specialist take to meet these requirements?
(Choose two.)
Create an Aurora Replica with encryption enabled using AWS Key Management Service (AWS KMS). Then promote the replica to master.
Use SSL/TLS to secure the in-transit connection between the financial application and the Aurora DB cluster.
Modify the existing Aurora DB cluster and enable encryption using an AWS Key Management Service (AWS KMS) encryption key. Apply the changes immediately.
Take a snapshot of the Aurora DB cluster and encrypt the snapshot using an AWS Key Management Service (AWS KMS) encryption key. Restore the snapshot to a new DB cluster and update the financial application database endpoints.
Use AWS Key Management Service (AWS KMS) to secure the in-transit connection between the financial application and the Aurora DB cluster.
Explanations:
Creating an Aurora Replica with encryption enabled requires the original cluster to be encrypted first. Simply promoting an encrypted replica does not fulfill the requirement if the master cluster is not encrypted.
Using SSL/TLS secures the in-transit connection between the application and the Aurora DB cluster, ensuring that data is encrypted while being transmitted, thus meeting compliance requirements.
Modifying an existing Aurora DB cluster to enable encryption using AWS KMS is not possible for an existing, unencrypted cluster. Encryption must be set during the creation of the cluster, not modified afterward.
Taking a snapshot of the existing Aurora DB cluster and encrypting it with AWS KMS allows for the restoration of a new encrypted DB cluster, thus fulfilling the encryption at rest requirement.
AWS KMS is not used for securing in-transit connections; instead, it is a service for managing encryption keys. In-transit encryption should be achieved through SSL/TLS.
I deduce that the answer is:
Use SSL/TLS to secure the in-transit connection between the financial application and the Aurora DB cluster.