Exam AWS Certified Security - Specialty topic 1 question 257 discussion

Create a snapshot of the source DB instance and encrypt it In the Amazon RDS console navigation pane, choose Snapshots, and select the DB snapshot you created. For Actions, choose Copy Snapshot. Provide the destination AWS Region and the name of the DB snapshot copy in the corresponding fields. Select the Enable Encryption checkbox. For Master Key, specify the AWS KMS key identifier to use to encrypt the DB snapshot copy. Choose Copy Snapshot. For more information, see Copying a snapshot in the Amazon RDS documentation. Prepare the target DB instance On the Amazon RDS console, choose Snapshots. Choose the encrypted snapshot that you created. For Actions, choose Restore Snapshot. For DB Instance Identifier, provide a unique name for the new DB instance. Review the instance details, and then choose Restore DB Instance. A new, encrypted DB Instance will be created from your snapshot. For more information, see Restoring from a DB snapshot in the Amazon RDS documentation. A and D

AD are the correct answers.

According to AWS documentation, you can encrypt an existing Amazon RDS for PostgreSQL DB instance by creating a snapshot of your DB instance, and then creating an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot to get an encrypted copy of your original DB instance.

In the Amazon RDS console navigation pane, choose Snapshots, and select the DB snapshot you created. For Actions, choose Copy Snapshot. Provide the destination AWS Region and the name of the DB snapshot copy in the corresponding fields. Select the Enable Encryption checkbox. For Master Key, specify the KMS key identifier to use to encrypt the DB snapshot copy. Choose Copy Snapshot. Reference: https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/encrypt-an-existing-amazon-rds-for-postgresql-db-instance.html

For thoses who ask why not C : Users do not create AWS managed keys

A and D is correct

C is wrong --> Because "you" don't create AWS managed keys. Answer A & D

A and D is correct. RDS snapshot can only be encrypted during snapshot copy, so A is correct. E is wrong because there is no way to encrypt a RDS snapshot without copying it to a new snapshot. AWS explains how RDS snapshot is encrypted in this video clip. https://www.youtube.com/watch?v=Pn5EIHCGslE

A & E is not confusing once you are clear with the distinctive "Copy Snapshot" between these two.

May I know why it's not C?

Its A & D. You can't enable encryption on the Snapshot creation. First, you have to create a Snapshot and then Copy the snapshot to the same region / across .During the Copy Snapshot only you can enable encryption. So Option A is Correct. D is correct. docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CopySnapshot.html docs.aws.amazon.com/prescriptive-guidance/latest/patterns/encrypt-an-existing-amazon-rds-for-postgresql-db-instance.html

on D almost all agreed and A is 100% guaranteed

is AD You can enable encryption for an Amazon RDS DB instance only when you create it, not after the DB instance is created. You can enable encryption for an Amazon RDS DB instance when you create it, but not after it's created. However, you can add encryption to an unencrypted DB instance by creating a snapshot of your DB instance, and then creating an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot to get an encrypted copy of your original DB instance. https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/encrypt-an-existing-amazon-rds-for-postgresql-db-instance.html

DE is my answer.

DE is the correct answer

Short description Amazon RDS has the following limitations for encrypted DB instances: You can't modify an existing unencrypted Amazon RDS DB instance to encrypt the instance. You can't create an encrypted read replica from an unencrypted instance. To work around these limitations, see How can I encrypt an unencrypted Amazon RDS DB instance for MySQL or MariaDB with minimal downtime? Do the following: 1. Encrypt an unencrypted snapshot that you take from an unencrypted read replica of the DB instance. 2. Restore a new DB instance from the encrypted snapshot to deploy a new encrypted DB instance. 3. Use MySQL replication to synchronize changes from the source to the new encrypted DB instance. and final answe is DE 4. Verify that the new, encrypted DB instance is in sync with the source DB instance.

D,E ....A is wrong for me...https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/encrypt-an-existing-amazon-rds-for-postgresql-db-instance.html