ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 121 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 121
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company is running an online transaction processing (OLTP) workload on AWS. This workload uses an unencrypted Amazon RDS DB instance in a Multi-AZ deployment. Daily database snapshots are taken from this instance.
What should a solutions architect do to ensure the database and snapshots are always encrypted moving forward?

  • A. Encrypt a copy of the latest DB snapshot. Replace existing DB instance by restoring the encrypted snapshot.
  • B. Create a new encrypted Amazon Elastic Block Store (Amazon EBS) volume and copy the snapshots to it. Enable encryption on the DB instance.
  • C. Copy the snapshots and enable encryption using AWS Key Management Service (AWS KMS) Restore encrypted snapshot to an existing DB instance.
  • D. Copy the snapshots to an Amazon S3 bucket that is encrypted using server-side encryption with AWS Key Management Service (AWS KMS) managed keys (SSE-KMS).
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by 123jhl0 at Oct. 19, 2022, 8:53 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
123jhl0
Highly Voted 2 years, 8 months ago
Selected Answer: A
"You can enable encryption for an Amazon RDS DB instance when you create it, but not after it's created. However, you can add encryption to an unencrypted DB instance by creating a snapshot of your DB instance, and then creating an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot to get an encrypted copy of your original DB instance." https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/encrypt-an-existing-amazon-rds-for-postgresql-db-instance.html
upvoted 67 times
1e22522
11 months ago
thats crazy cuh the more you know ig
upvoted 2 times
...
Futurebones
2 years, 1 month ago
How can A gurantee future encryption?
upvoted 4 times
Smart
1 year, 11 months ago
Once DB is encrypted, newer snapshots and read replicas will also be encrypted.
upvoted 8 times
...
...
JoeGuan
1 year, 10 months ago
I agree, there is no reason to copy all of the snapshots and ecnrypt them all. You just need one encrypted snapshot, moving forward they will all be encrypted. C is close but I think there is no reason to copy all the snapshots plural. There is a wizard to go through and select the snapshot to encrypt. "In the Amazon RDS console navigation pane, choose Snapshots, and select the DB snapshot you created. For Actions, choose Copy Snapshot. Provide the destination AWS Region and the name of the DB snapshot copy in the corresponding fields. Select the Enable Encryption checkbox. For Master Key, specify the KMS key identifier to use to encrypt the DB snapshot copy. Choose Copy Snapshot. For more information, see Copying a snapshot in the Amazon RDS documentation". What if you had 30 snapshotS? You just need to do it once.
upvoted 4 times
Guru4Cloud
1 year, 10 months ago
In simple terms, you double it the affort of your work and spending money by creating unnessary snapshots... so A is the best choice
upvoted 2 times
...
...
...
kruasan
Highly Voted 2 years, 2 months ago
Selected Answer: A
You can't restore from a DB snapshot to an existing DB instance; a new DB instance is created when you restore.
upvoted 5 times
...
rmanuraj
Most Recent 6 months, 2 weeks ago
Selected Answer: A
A seems to be the correct option compared to C. In the question it clearly says the current DB instance is an unencrypted Amazon RDS DB instance. And you can't restore an encrypted snapshot to an unencrypted DB instance.
upvoted 1 times
...
PaulGa
9 months, 2 weeks ago
Selected Answer: A
Ans A - I must admit almsot put Ans C, but re-reading question and seeing comments its clear that encryption is needed "moving forward" so C is overkill...
upvoted 2 times
...
jaradat02
11 months, 1 week ago
Selected Answer: A
Replacing a snapshots creates a new one instead of restoring the old one.
upvoted 2 times
...
Saadiii
1 year, 1 month ago
Selected Answer: A
I feel this is a bit tricky in the way the question is asked, but C implies that you are encrypting the snapshot. You are not. It is the DB that receives a KMS key upon restoring, but the snapshot is still unencrypted
upvoted 2 times
...
SinghJagdeep
1 year, 6 months ago
Selected Answer: A
Correct. Please visit for more details. https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/encrypt-an-existing-amazon-rds-for-postgresql-db-instance.html
upvoted 2 times
...
ansagr
1 year, 6 months ago
Selected Answer: A
AWS RDS does not support direct restoration of an encrypted snapshot to an existing unencrypted DB instance. When you restore a snapshot, it creates a new DB instance with the same configuration as the original instance.
upvoted 2 times
...
tom_cruise
1 year, 8 months ago
Selected Answer: A
What's wrong with C is: "Copy the snapshots and enable encryption"
upvoted 3 times
...
tom_cruise
1 year, 8 months ago
Selected Answer: A
key: snapshots
upvoted 2 times
...
AntonioMinolfi
1 year, 8 months ago
Selected Answer: A
I was undecided if to choose A or C. But since you can't restore a snapshot to an existing instance C is out. You can only create a new one. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_RestoreFromSnapshot.html#:~:text=You%20can%27t%20restore%20from%20a%20DB%20snapshot%20to%20an%20existing%20DB%20instance%3B%20a%20new%20DB%20instance%20is%20created%20when%20you%20restore.
upvoted 2 times
...
TMabs
1 year, 8 months ago
A makes sence
upvoted 1 times
...
cookieMr
2 years ago
Selected Answer: C
A. Replacing the existing DB instance with an encrypted snapshot can result in downtime and potential data loss during migration. B. Creating a new encrypted EBS volume for snapshots does not address the encryption of the DB instance itself. D. Copying snapshots to an encrypted S3 bucket only encrypts the snapshots, but does not address the encryption of the DB instance. Option C is the most suitable as it involves copying and encrypting the snapshots using AWS KMS, ensuring encryption for both the database and snapshots.
upvoted 2 times
BartoszGolebiowski24
1 year, 8 months ago
From the question: "...What should a solutions architect do to ensure the database and snapshots are always encrypted moving forward?" I think the question is about encrypting current and future snapshots instead of the old snapshots.
upvoted 2 times
...
...
Abrar2022
2 years, 1 month ago
If daily snapshots are taken from the daily DB instance. Why create another copy? You just need to encrypt the latest daily DB snapshot and the restore from the existing encrypted snapshot.
upvoted 3 times
...
C_M_M
2 years, 2 months ago
A and C are almost similar except that A is latest snapshot, while C is snapshots (all the snapshots). I don't see any other difference btw those two options. Option A is clearly the correct on as all you need is the latest snapshot.
upvoted 3 times
JoeGuan
1 year, 10 months ago
I agree, in the wizard you would select ONE SNAPSHOT (singular in A), not all of the SNAPSHOTS (Plural in C)
upvoted 1 times
...
...
rushlav
2 years, 2 months ago
A You can only encrypt an Amazon RDS DB instance when you create it, not after the DB instance is created. However, because you can encrypt a copy of an unencrypted snapshot, you can effectively add encryption to an unencrypted DB instance. That is, you can create a snapshot of your DB instance, and then create an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot, and thus you have an encrypted copy of your original DB instance. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
upvoted 2 times
...
Abhineet9148232
2 years, 3 months ago
Selected Answer: C
Encryption is enabled during the Copy process itself. https://repost.aws/knowledge-center/encrypt-rds-snapshots
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel