Exam AWS Certified Database - Specialty topic 1 question 299 discussion

C Aurora allows you to create encrypted DB out of unencrypted snapshot (this is not true for regular RDS, where A would be the right answer)

C. After try-n-error in the AWS RDS Snapshot console, got this (make sure the Engine column must be Aurora PostgreSQL): unencrypted snapshot -> encrypted snapshot unencrypted snapshot -> restore to encrypted instance encrypted snapshot -> restore to encrypted instance encrypted snapshot -> change key -> encrypted snapshot A: No. I can't find any way in console that cp and encrypt a snapshot but marked as unencrypted. BTW, I can't unencrypted an encrypted snapshot in RDS Snapshot console. I even tried clear out the key ARN field then copy, but it will go back to whatever key it originally has after copy. No comment / test on RDS non-Aurora snapshot cycle since the question scope doesn't cover.

C https://repost.aws/knowledge-center/encrypt-rds-snapshots Important: If you use Amazon Aurora, you can restore an unencrypted Aurora DB cluster snapshot to an encrypted Aurora DB cluster. However, you must specify an AWS Key Management Service (AWS KMS) encryption key when you restore from the unencrypted DB cluster snapshot.

It's C.

You cannot restore an unecrypted DB cluster from an encrypted snapshot.

concur with Mintwater.

A is the best response https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Limitations

A - A. Take a manual snapshot of the unencrypted DB cluster. Create an encrypted copy of that snapshot in the same AWS Region as the unencrypted snapshot. Restore a DB cluster from the encrypted snapshot. Limitations of Amazon RDS encrypted DB instances The following limitations exist for Amazon RDS encrypted DB instances: You can only encrypt an Amazon RDS DB instance when you create it, not after the DB instance is created. However, because you can encrypt a copy of an unencrypted snapshot, you can effectively add encryption to an unencrypted DB instance. That is, you can create a snapshot of your DB instance, and then create an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot, and thus you have an encrypted copy of your original DB instance. For more information, see Copying a DB snapshot. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Limitations

You can't convert an unencrypted DB cluster to an encrypted one. However, you can restore an unencrypted snapshot to an encrypted Aurora DB cluster. To do this, specify a KMS key when you restore from the unencrypted snapshot. https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.html