Which combination of actions should the database specialist take to meet these requirements?
(Choose three.)
In the RDS console, choose ג€Enable encryptionג€ to encrypt the DB instance by using an AWS Key Management Service (AWS KMS) key.
Encrypt the read replica of the unencrypted DB instance by using an AWS Key Management Service (AWS KMS) key. Fail over the read replica to the primary DB instance.
Create a snapshot of the unencrypted DB instance. Encrypt the snapshot by using an AWS Key Management Service (AWS KMS) key. Restore the DB instance from the encrypted snapshot. Delete the original DB instance.
Require SSL connections for applicable database user accounts.
Use SSL/TLS from the application to encrypt a connection to the DB instance.
Enable SSH encryption on the DB instance.
Explanations:
The “Enable encryption” option in the RDS console is not available for an already running unencrypted DB instance. To enable encryption, you must create a new instance using an encrypted snapshot or use a read replica strategy.
Creating a read replica and failing it over to the primary DB instance is not a valid way to enable encryption for an unencrypted DB instance. Encryption must be enabled using snapshots or a fresh restore process.
Creating a snapshot of the unencrypted DB instance, encrypting it using AWS KMS, and restoring the DB instance from the encrypted snapshot is the correct method to enable encryption for an existing DB instance.
Requiring SSL connections for database user accounts ensures encrypted communication between the database and its clients, satisfying the requirement to encrypt connections.
Using SSL/TLS from the application to encrypt the connection to the DB instance ensures that all data transmitted between the application and the DB instance is encrypted, meeting the encryption requirement for connections.
SSH encryption is not used for encrypting connections to a MySQL database in RDS. MySQL connections are encrypted using SSL/TLS, not SSH.