Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 382 discussion

You can't restore from a DB snapshot to an existing DB instance; a new DB instance is created when you restore. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_RestoreFromSnapshot.html#USER_RestoreFromSnapshot.CON So answer A is right

A. Encrypt a copy of the latest DB snapshot. Replace existing DB instance by restoring the encrypted snapshot. When you restore from a snapshot a new DB instance is provisioned

Most commonly used question. Available in every dump almost.

Option A: Encrypt a copy of the latest DB snapshot. Replace existing DB instance by restoring the encrypted snapshot, could be a valid solution, but it is less preferred compared to Option C. The reason is that in Option A, you would need to replace the existing DB instance, which would require downtime and potentially cause disruption to the online transaction processing (OLTP) workload. Also, this option may require additional steps to ensure that the new DB instance has the same configuration as the original instance, such as security groups, subnets, and parameter groups. These steps could add complexity and risk to the migration process. On the other hand, Option C avoids these issues by encrypting the snapshots while they are stored and preserving the existing DB instance. This minimizes the risk of disruption and provides a more straightforward and secure solution for encrypting the database and its snapshots.

The best option to ensure the database and snapshots are always encrypted moving forward would be option C: Copy the snapshots and enable encryption using AWS Key Management Service (AWS KMS). Restore encrypted snapshot to an existing DB instance. In this option, the snapshots would be encrypted using AWS KMS, ensuring that the data is secure both during the snapshot process and when the data is stored. Once the snapshots are encrypted, they can be restored to an existing DB instance, preserving the existing Multi-AZ deployment and avoiding the need to create a new DB instance or perform any other complex steps. This would provide a straightforward and secure solution for encrypting the database and its snapshots.

The best option to ensure the database and snapshots are always encrypted moving forward would be option C: Copy the snapshots and enable encryption using AWS Key Management Service (AWS KMS). Restore encrypted snapshot to an existing DB instance. In this option, the snapshots would be encrypted using AWS KMS, ensuring that the data is secure both during the snapshot process and when the data is stored. Once the snapshots are encrypted, they can be restored to an existing DB instance, preserving the existing Multi-AZ deployment and avoiding the need to create a new DB instance or perform any other complex steps. This would provide a straightforward and secure solution for encrypting the database and its snapshots.

C... B is tricky and wrong...we are not replacing existing DB instance. we are creating new encrypted DB instance from it, and then repointing app to use new endpoint

Encrypt the latest snapshot taken......AAAAA

Agreed with A

AAAAAAAAAAAAAAAAAAA

Not C coz cannot restore into an existing live instance.

agreed with A

Answer is A

A is correct

Restore encrypted snapshot to an existing DB instance!! WE CAN'T RESTORE A SNAPSHOT TO AN EXISTING DB INSTANCE

A is correct

A is right.