Which combination of steps should the security engineer take to accomplish this?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A company uses Amazon RDS for MySQL as a database engine for its applications.A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest.A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected.

Which combination of steps should the security engineer take to accomplish this?

(Choose two.)

Create an AWS Config rule to detect the creation of encrypted RDS databases. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the AWS Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.

Use AWS System Manager State Manager to detect RDS database encryption configuration drift. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.

Create a read replica for the existing unencrypted RDS database and enable replica encryption in the process. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.

Take a snapshot of the unencrypted RDS database. Copy the snapshot and enable snapshot encryption in the process. Restore the database instance from the newly created encrypted snapshot. Terminate the unencrypted database instance.

Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database.

Explanations:

AWS Config can detect non-compliant RDS instances based on encryption status. EventBridge with SNS ensures timely alerts when a compliance state change occurs.

AWS Systems Manager State Manager is typically used for managing EC2 instances’ configurations, not RDS encryption. This solution is not suitable for detecting RDS encryption drift.

While creating a read replica and enabling encryption is a valid method for encrypting an unencrypted database, it is not a policy enforcement mechanism and does not address ongoing compliance monitoring.

Taking a snapshot of the unencrypted RDS database and enabling encryption during the snapshot copy process allows the creation of an encrypted database instance. The unencrypted instance can then be terminated after migration.

RDS does not support enabling encryption directly on an existing database instance. You must create a new encrypted instance using snapshots or replicas.

2025-10-08

1 Comment

  1. Sophia
    Author

    I scheme that the answer is:
    Create an AWS Config rule to detect the creation of encrypted RDS databases. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the AWS Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.

Leave a Reply

Your email address will not be published. Required fields are marked *

thirteen − 6 =