Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam

Exam AWS Certified Security - Specialty topic 1 question 257 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 257
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has an application that uses an Amazon RDS PostgreSQL database. The company is developing an application feature that will store sensitive information for an individual in the database.
During a security review of the environment, the company discovers that the RDS DB instance is not encrypting data at rest. The company needs a solution that will provide encryption at rest for all the existing data and for any new data that is entered for an individual.
Which combination of options can the company use to meet these requirements? (Choose two.)

  • A. Create a snapshot of the DB instance. Copy the snapshot to a new snapshot, and enable encryption for the copy process. Use the new snapshot to restore the DB instance.
  • B. Modify the configuration of the DB instance by enabling encryption. Create a snapshot of the DB instance. Use the snapshot to restore the DB instance.
  • C. Use AWS Key Management Service (AWS KMS) to create a new default AWS managed aws/rds key. Select this key as the encryption key for operations with Amazon RDS.
  • D. Use AWS Key Management Service (AWS KMS) to create a new CMK. Select this key as the encryption key for operations with Amazon RDS.
  • E. Create a snapshot of the DB instance. Enable encryption on the snapshot. Use the snapshot to restore the DB instance.
Show Suggested Answer Hide Answer
Suggested Answer: AD 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
argol
Highly Voted 3 years ago
Create a snapshot of the source DB instance and encrypt it In the Amazon RDS console navigation pane, choose Snapshots, and select the DB snapshot you created. For Actions, choose Copy Snapshot. Provide the destination AWS Region and the name of the DB snapshot copy in the corresponding fields. Select the Enable Encryption checkbox. For Master Key, specify the AWS KMS key identifier to use to encrypt the DB snapshot copy. Choose Copy Snapshot. For more information, see Copying a snapshot in the Amazon RDS documentation. Prepare the target DB instance On the Amazon RDS console, choose Snapshots. Choose the encrypted snapshot that you created. For Actions, choose Restore Snapshot. For DB Instance Identifier, provide a unique name for the new DB instance. Review the instance details, and then choose Restore DB Instance. A new, encrypted DB Instance will be created from your snapshot. For more information, see Restoring from a DB snapshot in the Amazon RDS documentation. A and D
upvoted 12 times
...
Raphaello
Most Recent 9 months, 1 week ago
Selected Answer: AD
AD are the correct answers.
upvoted 1 times
...
ITGURU51
1 year, 7 months ago
According to AWS documentation, you can encrypt an existing Amazon RDS for PostgreSQL DB instance by creating a snapshot of your DB instance, and then creating an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot to get an encrypted copy of your original DB instance.
upvoted 1 times
...
sakibmas
1 year, 11 months ago
Selected Answer: AD
In the Amazon RDS console navigation pane, choose Snapshots, and select the DB snapshot you created. For Actions, choose Copy Snapshot. Provide the destination AWS Region and the name of the DB snapshot copy in the corresponding fields. Select the Enable Encryption checkbox. For Master Key, specify the KMS key identifier to use to encrypt the DB snapshot copy. Choose Copy Snapshot. Reference: https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/encrypt-an-existing-amazon-rds-for-postgresql-db-instance.html
upvoted 1 times
...
sapien45
2 years, 3 months ago
Selected Answer: AD
For thoses who ask why not C : Users do not create AWS managed keys
upvoted 4 times
...
RaySmith
2 years, 9 months ago
A and D is correct
upvoted 1 times
...
Radhaghosh
2 years, 10 months ago
C is wrong --> Because "you" don't create AWS managed keys. Answer A & D
upvoted 1 times
...
jayaj
2 years, 10 months ago
A and D is correct. RDS snapshot can only be encrypted during snapshot copy, so A is correct. E is wrong because there is no way to encrypt a RDS snapshot without copying it to a new snapshot. AWS explains how RDS snapshot is encrypted in this video clip. https://www.youtube.com/watch?v=Pn5EIHCGslE
upvoted 1 times
...
boooliyooo
2 years, 11 months ago
A & E is not confusing once you are clear with the distinctive "Copy Snapshot" between these two.
upvoted 1 times
boooliyooo
1 year, 10 months ago
Correction to A,D: Option E is not a valid solution because it is not possible to enable encryption on a snapshot of a DB instance. Snapshots can only be taken of an already-encrypted DB instance and cannot be used to enable encryption. Instead, the DB instance itself must be modified to enable encryption. This can be done by either creating a copy of the DB instance with encryption enabled or by modifying the configuration of the existing DB instance to enable encryption.
upvoted 1 times
...
...
AkaAka4
3 years ago
May I know why it's not C?
upvoted 1 times
vasmourir
2 years, 11 months ago
Because "you" don't create AWS managed keys. AWS does, by definition.
upvoted 2 times
...
...
VeeraB
3 years, 1 month ago
Its A & D. You can't enable encryption on the Snapshot creation. First, you have to create a Snapshot and then Copy the snapshot to the same region / across .During the Copy Snapshot only you can enable encryption. So Option A is Correct. D is correct. docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CopySnapshot.html docs.aws.amazon.com/prescriptive-guidance/latest/patterns/encrypt-an-existing-amazon-rds-for-postgresql-db-instance.html
upvoted 4 times
...
ExtHo
3 years, 1 month ago
on D almost all agreed and A is 100% guaranteed
upvoted 3 times
...
robbyyy
3 years, 1 month ago
is AD You can enable encryption for an Amazon RDS DB instance only when you create it, not after the DB instance is created. You can enable encryption for an Amazon RDS DB instance when you create it, but not after it's created. However, you can add encryption to an unencrypted DB instance by creating a snapshot of your DB instance, and then creating an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot to get an encrypted copy of your original DB instance. https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/encrypt-an-existing-amazon-rds-for-postgresql-db-instance.html
upvoted 3 times
...
hk436
3 years, 1 month ago
DE is my answer.
upvoted 1 times
...
kiev
3 years, 1 month ago
DE is the correct answer
upvoted 2 times
...
kiev
3 years, 1 month ago
Short description Amazon RDS has the following limitations for encrypted DB instances: You can't modify an existing unencrypted Amazon RDS DB instance to encrypt the instance. You can't create an encrypted read replica from an unencrypted instance. To work around these limitations, see How can I encrypt an unencrypted Amazon RDS DB instance for MySQL or MariaDB with minimal downtime? Do the following: 1. Encrypt an unencrypted snapshot that you take from an unencrypted read replica of the DB instance. 2. Restore a new DB instance from the encrypted snapshot to deploy a new encrypted DB instance. 3. Use MySQL replication to synchronize changes from the source to the new encrypted DB instance. and final answe is DE 4. Verify that the new, encrypted DB instance is in sync with the source DB instance.
upvoted 1 times
...
santosar
3 years, 1 month ago
D,E ....A is wrong for me...https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/encrypt-an-existing-amazon-rds-for-postgresql-db-instance.html
upvoted 3 times
EricR17
3 years ago
From the link you posted: You can enable encryption for an Amazon RDS DB instance when you create it, but not after it's created. However, you can add encryption to an unencrypted DB instance by creating a snapshot of your DB instance, and then creating an encrypted copy of that snapshot That's answer A.
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...