exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 44 discussion

A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected.
Which combination of steps should the security engineer take to accomplish this? (Choose two.)

  • A. Create an AWS Config rule to detect the creation of unencrypted RDS databases. Create an Amazon EventBridge rule to trigger on the AWS Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
  • B. Use AWS System Manager State Manager to detect RDS database encryption configuration drift. Create an Amazon EventBridge rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
  • C. Create a read replica for the existing unencrypted RDS database and enable replica encryption in the process. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.
  • D. Take a snapshot of the unencrypted RDS database. Copy the snapshot and enable snapshot encryption in the process. Restore the database instance from the newly created encrypted snapshot. Terminate the unencrypted database instance.
  • E. Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database.
Show Suggested Answer Hide Answer
Suggested Answer: AD 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
ahrentom
Highly Voted 1 year, 1 month ago
Selected Answer: AD
A and D, here´s another source https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-remediate-unencrypted-amazon-rds-db-instances-and-clusters.html
upvoted 9 times
...
Zek
Most Recent 6 months, 4 weeks ago
AD - Use AWS Config to track configuration changes and then take snapshot to enable encryption
upvoted 1 times
...
Boul
8 months, 3 weeks ago
AD C not correct because you can't have an encrypted read replica of an unencrypted DB instance or an unencrypted read replica of an encrypted DB instance.
upvoted 2 times
...
Noexperience
9 months, 1 week ago
Selected Answer: AC
C. Create a read replica for the existing unencrypted RDS database and enable replica encryption in the process. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance. Addresses Existing Issue: This directly resolves the compliance issue of the unencrypted RDS instance. It ensures data-at-rest encryption while minimizing application downtime. Minimizes Disruption: Replicating with encryption avoids modifying the primary database directly, reducing the risk of application issues.
upvoted 1 times
...
Raphaello
10 months ago
Selected Answer: AD
AD Config to track drift, and taking snapshot to encrypt current RDS.
upvoted 1 times
...
trashbox
11 months, 3 weeks ago
Exam on 2023-12-18
upvoted 1 times
...
100fold
1 year, 1 month ago
Selected Answer: AD
Answer is AD. https://www.examtopics.com/discussions/amazon/view/60595-exam-aws-certified-security-specialty-topic-1-question-275/
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...