ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 31 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C02
Question #: 31
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C02 Questions]

A company currently operates a web application backed by an Amazon RDS MySQL database. It has automated backups that are run daily and are not encrypted. A security audit requires future backups to be encrypted and the unencrypted backups to be destroyed. The company will make at least one encrypted backup before destroying the old backups.
What should be done to enable encryption for future backups?

  • A. Enable default encryption for the Amazon S3 bucket where backups are stored.
  • B. Modify the backup section of the database configuration to toggle the Enable encryption check box.
  • C. Create a snapshot of the database. Copy it to an encrypted snapshot. Restore the database from the encrypted snapshot.
  • D. Enable an encrypted read replica on RDS for MySQL. Promote the encrypted read replica to primary. Remove the original database instance.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by frizzo at June 3, 2020, 1:03 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
frizzo
Highly Voted 3 years, 11 months ago
C is right https://aws.amazon.com/premiumsupport/knowledge-center/rds-encrypt-instance-mysql-mariadb/
upvoted 57 times
aguy9
3 years, 10 months ago
I agree, answer is C
upvoted 3 times
sndychvn
3 years, 9 months ago
Backups for RDS are stored in S3 https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html As question talks only about backups. Answer: A
upvoted 1 times
...
...
dave0763
3 years, 9 months ago
C is right "Amazon RDS snapshots are automatically encrypted with the same encryption key that was used to encrypt the source Amazon RDS database. Snapshots of unencrypted Amazon RDS databases are also unencrypted." https://docs.aws.amazon.com/aws-backup/latest/devguide/encryption.html
upvoted 7 times
...
...
foreverlearner
Highly Voted 3 years, 11 months ago
It's true that RDS stores its backup in S3. However, you have no visibility of that bucket (indeed it doesn't ask you where to store the backup). Hence, you can't enable encryption for it (which would only encrypt the backup while inside the bucket. If you'd move it out, it would still be unencrypted). You can only take encrypted backups/snapshots of encrypted DBs, so you would need to encrypt the DB first (which would be a good security practice anyway)
upvoted 31 times
A41
3 years, 10 months ago
so what is the best answer you preferred?
upvoted 2 times
examtopicsHaru
3 years, 9 months ago
This person means C in this case because you cannot take encrypted snapshot from undecrypted database in one shot. Changing the database itself will produce future snapshots encrypted
upvoted 1 times
...
...
...
fro13
Most Recent 2 years, 1 month ago
C is correct. You cannot toggle DB encryption as proposed in B.
upvoted 1 times
...
tayoke4
2 years, 5 months ago
Selected Answer: C
Answer is C This option involves creating a snapshot of the existing unencrypted database, copying it to an encrypted snapshot, and then restoring the database from the encrypted snapshot. This approach ensures that all future backups will be encrypted while also allowing the company to retain a backup of the unencrypted data until the encrypted backups are in place. Option A, enabling default encryption for the Amazon S3 bucket where backups are stored, would not encrypt the backups stored in the RDS MySQL database. It would only encrypt the backups stored in the S3 bucket.
upvoted 1 times
...
dblacksmith
2 years, 5 months ago
C is correct
upvoted 1 times
...
Jacops
2 years, 8 months ago
Exactly C
upvoted 1 times
...
Drekorig
2 years, 9 months ago
Selected Answer: C
It's "C"
upvoted 1 times
...
ogerber
2 years, 10 months ago
Selected Answer: A
its A! the question is: What should be done to enable encryption for future backups? not about the RDS! only future backups need to be encrypted! its A! wake up.
upvoted 1 times
...
AmazingAWS
2 years, 12 months ago
C for sure, RDS uses snapshots.
upvoted 1 times
...
Alfene
3 years ago
C is right
upvoted 1 times
...
marklovesaws143
3 years ago
Selected Answer: C
CCCCCCCCCCCCC
upvoted 2 times
...
slcheng
3 years, 1 month ago
Selected Answer: C
Vote C
upvoted 1 times
...
terencechan
3 years, 2 months ago
Selected Answer: C
The answer is C: You can only encrypt an Amazon RDS DB instance when you create it, not after the DB instance is created. There's a workaround for this:- because you can encrypt a copy of an unencrypted snapshot, you can effectively add encryption to an unencrypted DB instance. You can create a snapshot of your DB instance, and then create an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot, and thus you have an encrypted copy of your original DB instance https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
upvoted 2 times
...
codeporan
3 years, 4 months ago
C is right
upvoted 1 times
...
Venki_dev
3 years, 5 months ago
Selected Answer: C
https://aws.amazon.com/premiumsupport/knowledge-center/rds-encrypt-instance-mysql-mariadb/
upvoted 1 times
...
Salem_Express
3 years, 7 months ago
Selected Answer: A
why not A ??
upvoted 1 times
...
Edgarrt
3 years, 7 months ago
Selected Answer: C
https://aws.amazon.com/premiumsupport/knowledge-center/rds-encrypt-instance-mysql-mariadb/ "You can't modify an existing unencrypted Amazon RDS DB instance to encrypt the instance. You can't create an encrypted read replica from an unencrypted instance."
upvoted 1 times
Edgarrt
3 years, 7 months ago
cant be D: "You can't have an encrypted read replica of an unencrypted DB instance or an unencrypted read replica of an encrypted DB instance." https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Enabling "You can enable encryption for an Amazon RDS DB instance when you create it, but not after it's created. However, you can add encryption to an unencrypted DB instance by creating a snapshot of your DB instance, and then creating an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot to get an encrypted copy of your original DB instance" https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/encrypt-an-existing-amazon-rds-for-postgresql-db-instance.html
upvoted 2 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel