ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Database - Specialty All Questions

View all questions & answers for the AWS Certified Database - Specialty exam
Go to Exam

Exam AWS Certified Database - Specialty topic 1 question 342 discussion

Exam question from Amazon's AWS Certified Database - Specialty
Question #: 342
Topic #: 1
[All AWS Certified Database - Specialty Questions]

A healthcare company is running an application on Amazon EC2 in a public subnet and using Amazon DocumentDB (with MongoDB compatibility) as the storage layer. An audit reveals that the traffic between the application and Amazon DocumentDB is not encrypted and that the DocumentDB cluster is not encrypted at rest. A database specialist must correct these issues and ensure that the data in transit and the data at rest are encrypted.

Which actions should the database specialist take to meet these requirements? (Choose two.)

  • A. Download the SSH RSA public key for Amazon DocumentDB. Update the application configuration to use the instance endpoint instead of the cluster endpoint and run queries over SSH.
  • B. Download the SSL .pem public key for Amazon DocumentDAdd the key to the application package and make sure the application is using the key while connecting to the cluster.
  • C. Create a snapshot of the unencrypted cluster. Restore the unencrypted snapshot as a new cluster with the --storage-encrypted parameter set to true. Update the application to point to the new cluster.
  • D. Create an Amazon DocumentDB VPC endpoint to prevent the traffic from going to the Amazon DocumentDB public endpoint. Set a VPC endpoint policy to allow only the application instance's security group to connect.
  • E. Activate encryption at rest using the modify-db-cluster command with the --storage-encrypted parameter set to true. Set the security group of the cluster to allow only the application instance's security group to connect.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by marll88 at Nov. 26, 2023, 3:17 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
koki2847
1 year, 1 month ago
A and C are answer. SSL/TLS doesn't require public key being installed on client, which is application server in this case. So B is incorrect. https://docs.aws.amazon.com/documentdb/latest/developerguide/security.encryption.ssl.html A is SSH tunneling. And SSH connection establishes between client and EC2 instance. So client should choose EC2 instance end point. Therefore, A is correct. https://docs.aws.amazon.com/documentdb/latest/developerguide/connect-from-outside-a-vpc.html
upvoted 1 times
...
MultiAZ
1 year, 4 months ago
Selected Answer: B
BC B for data in transit, C for data at rest
upvoted 2 times
...
Ram_xyz
1 year, 5 months ago
Selected Answer: B
B &C https://docs.aws.amazon.com/documentdb/latest/developerguide/connect_programmatically.html https://docs.aws.amazon.com/documentdb/latest/developerguide/encryption-at-rest.html
upvoted 3 times
...
marll88
1 year, 5 months ago
Correction. A. I did not understand the reason for instance endpoints. D. Secure, but data in transit and data in storage seem unrelated to encryption. E. Can you encrypt dynamically?
upvoted 1 times
...
marll88
1 year, 5 months ago
I think B and C. A. I did not understand the reason for instance endpoints. C. Secure, but data in transit and data in storage seem unrelated to encryption. D. Can you encrypt dynamically?
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago