Which process should the database specialist recommend?
Create an encrypted snapshot of the unencrypted DB instance. Copy the encrypted snapshot to Amazon S3. Restore the DB instance from the encrypted snapshot using Amazon S3.
Create a new RDS for MySQL DB instance with encryption enabled. Restore the unencrypted snapshot to this DB instance.
Create a snapshot of the unencrypted DB instance. Create an encrypted copy of the snapshot. Restore the DB instance from the encrypted snapshot.
Temporarily shut down the unencrypted DB instance. Enable AWS KMS encryption in the AWS Management Console using an AWS managed CMK. Restart the DB instance in an encrypted state.
Explanations:
Creating an encrypted snapshot and copying it to Amazon S3 is not a valid method for encrypting an RDS DB instance. The process for encryption involves using snapshots directly in RDS, not copying to S3.
This option involves creating a new DB instance and restoring the unencrypted snapshot to it, which would not enable encryption. A new DB instance must be restored from an encrypted snapshot, not the unencrypted one.
This is the correct approach. Creating a snapshot of the unencrypted DB instance, then creating an encrypted copy of that snapshot, and restoring from the encrypted snapshot is the proper method to enable encryption.
You cannot enable encryption on an existing RDS instance. Encryption must be applied at the time of instance creation, not by modifying the encryption setting of an existing instance.