Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 121 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 121
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company is running an online transaction processing (OLTP) workload on AWS. This workload uses an unencrypted Amazon RDS DB instance in a Multi-AZ deployment. Daily database snapshots are taken from this instance.
What should a solutions architect do to ensure the database and snapshots are always encrypted moving forward?

  • A. Encrypt a copy of the latest DB snapshot. Replace existing DB instance by restoring the encrypted snapshot.
  • B. Create a new encrypted Amazon Elastic Block Store (Amazon EBS) volume and copy the snapshots to it. Enable encryption on the DB instance.
  • C. Copy the snapshots and enable encryption using AWS Key Management Service (AWS KMS) Restore encrypted snapshot to an existing DB instance.
  • D. Copy the snapshots to an Amazon S3 bucket that is encrypted using server-side encryption with AWS Key Management Service (AWS KMS) managed keys (SSE-KMS).
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by 123jhl0 at Oct. 19, 2022, 8:53 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
123jhl0
Highly Voted 1 year, 12 months ago
Selected Answer: A
"You can enable encryption for an Amazon RDS DB instance when you create it, but not after it's created. However, you can add encryption to an unencrypted DB instance by creating a snapshot of your DB instance, and then creating an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot to get an encrypted copy of your original DB instance." https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/encrypt-an-existing-amazon-rds-for-postgresql-db-instance.html
upvoted 60 times
1e22522
2 months, 2 weeks ago
thats crazy cuh the more you know ig
upvoted 1 times
...
Futurebones
1 year, 5 months ago
How can A gurantee future encryption?
upvoted 4 times
Smart
1 year, 2 months ago
Once DB is encrypted, newer snapshots and read replicas will also be encrypted.
upvoted 7 times
...
...
JoeGuan
1 year, 2 months ago
I agree, there is no reason to copy all of the snapshots and ecnrypt them all. You just need one encrypted snapshot, moving forward they will all be encrypted. C is close but I think there is no reason to copy all the snapshots plural. There is a wizard to go through and select the snapshot to encrypt. "In the Amazon RDS console navigation pane, choose Snapshots, and select the DB snapshot you created. For Actions, choose Copy Snapshot. Provide the destination AWS Region and the name of the DB snapshot copy in the corresponding fields. Select the Enable Encryption checkbox. For Master Key, specify the KMS key identifier to use to encrypt the DB snapshot copy. Choose Copy Snapshot. For more information, see Copying a snapshot in the Amazon RDS documentation". What if you had 30 snapshotS? You just need to do it once.
upvoted 3 times
Guru4Cloud
1 year, 2 months ago
In simple terms, you double it the affort of your work and spending money by creating unnessary snapshots... so A is the best choice
upvoted 1 times
...
...
...
PaulGa
Most Recent 3 weeks, 6 days ago
Selected Answer: A
Ans A - I must admit almsot put Ans C, but re-reading question and seeing comments its clear that encryption is needed "moving forward" so C is overkill...
upvoted 1 times
...
jaradat02
2 months, 3 weeks ago
Selected Answer: A
Replacing a snapshots creates a new one instead of restoring the old one.
upvoted 1 times
...
Saadiii
5 months, 2 weeks ago
Selected Answer: A
I feel this is a bit tricky in the way the question is asked, but C implies that you are encrypting the snapshot. You are not. It is the DB that receives a KMS key upon restoring, but the snapshot is still unencrypted
upvoted 1 times
...
SinghJagdeep
9 months, 4 weeks ago
Selected Answer: A
Correct. Please visit for more details. https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/encrypt-an-existing-amazon-rds-for-postgresql-db-instance.html
upvoted 1 times
...
ansagr
10 months, 1 week ago
Selected Answer: A
AWS RDS does not support direct restoration of an encrypted snapshot to an existing unencrypted DB instance. When you restore a snapshot, it creates a new DB instance with the same configuration as the original instance.
upvoted 1 times
...
tom_cruise
11 months, 3 weeks ago
Selected Answer: A
What's wrong with C is: "Copy the snapshots and enable encryption"
upvoted 3 times
...
tom_cruise
1 year ago
Selected Answer: A
key: snapshots
upvoted 1 times
...
AntonioMinolfi
1 year ago
Selected Answer: A
I was undecided if to choose A or C. But since you can't restore a snapshot to an existing instance C is out. You can only create a new one. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_RestoreFromSnapshot.html#:~:text=You%20can%27t%20restore%20from%20a%20DB%20snapshot%20to%20an%20existing%20DB%20instance%3B%20a%20new%20DB%20instance%20is%20created%20when%20you%20restore.
upvoted 1 times
...
TMabs
1 year ago
A makes sence
upvoted 1 times
...
cookieMr
1 year, 3 months ago
Selected Answer: C
A. Replacing the existing DB instance with an encrypted snapshot can result in downtime and potential data loss during migration. B. Creating a new encrypted EBS volume for snapshots does not address the encryption of the DB instance itself. D. Copying snapshots to an encrypted S3 bucket only encrypts the snapshots, but does not address the encryption of the DB instance. Option C is the most suitable as it involves copying and encrypting the snapshots using AWS KMS, ensuring encryption for both the database and snapshots.
upvoted 2 times
BartoszGolebiowski24
11 months, 3 weeks ago
From the question: "...What should a solutions architect do to ensure the database and snapshots are always encrypted moving forward?" I think the question is about encrypting current and future snapshots instead of the old snapshots.
upvoted 1 times
...
...
Abrar2022
1 year, 4 months ago
If daily snapshots are taken from the daily DB instance. Why create another copy? You just need to encrypt the latest daily DB snapshot and the restore from the existing encrypted snapshot.
upvoted 3 times
...
kruasan
1 year, 5 months ago
Selected Answer: A
You can't restore from a DB snapshot to an existing DB instance; a new DB instance is created when you restore.
upvoted 4 times
...
C_M_M
1 year, 6 months ago
A and C are almost similar except that A is latest snapshot, while C is snapshots (all the snapshots). I don't see any other difference btw those two options. Option A is clearly the correct on as all you need is the latest snapshot.
upvoted 2 times
JoeGuan
1 year, 2 months ago
I agree, in the wizard you would select ONE SNAPSHOT (singular in A), not all of the SNAPSHOTS (Plural in C)
upvoted 1 times
...
...
rushlav
1 year, 6 months ago
A You can only encrypt an Amazon RDS DB instance when you create it, not after the DB instance is created. However, because you can encrypt a copy of an unencrypted snapshot, you can effectively add encryption to an unencrypted DB instance. That is, you can create a snapshot of your DB instance, and then create an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot, and thus you have an encrypted copy of your original DB instance. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
upvoted 1 times
...
Abhineet9148232
1 year, 6 months ago
Selected Answer: C
Encryption is enabled during the Copy process itself. https://repost.aws/knowledge-center/encrypt-rds-snapshots
upvoted 1 times
...
Bang3R
1 year, 6 months ago
Selected Answer: C
C is the more complete answer as you need KMS to encrypt the snapshot copy prior to restoring it to the Database instance.
upvoted 1 times
jdr75
1 year, 6 months ago
BUT you can't restore encrypted snapshot to an existing DB instance.Only no NEW DB (not an existing one). The procedure described in this way: "(...) you can add encryption to an unencrypted DB instance by creating a snapshot of your DB instance, and then creating an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot to get an encrypted copy of your original DB instance." refers to create a NEW DB instance (this encrypted), never restoring in a existing one. The RDB engine understands that restoring from a encrypted snapshot is form create an encrypted NEW database.
upvoted 2 times
...
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel