Exam AWS Certified Database - Specialty topic 1 question 116 discussion

B and D.

Per - https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.html Not A as - You can't create an encrypted Aurora Replica from an unencrypted Aurora DB cluster. You can't create an unencrypted Aurora Replica from an encrypted Aurora DB cluster. B is good for in-transit replication Not C as - You can't convert an unencrypted DB cluster to an encrypted one. D as - You can restore an unencrypted snapshot to an encrypted Aurora DB cluster. To do this, specify a KMS key when you restore from the unencrypted snapshot. Not E as - KMS does not perform encryption for data in transit or in motion. If you want to encrypt data while in transit, then you would need to use a different method such as SSL. So, B and D is correct.

In Aurora you can encrypt at rest without copying the snapshot. So A and C for sure

I reckon is B and D

B and D. D is right. Take snapshot of cluster > and (keyword here) > enable encryption. You cannot take a snapshot and encrypt it at the same time, this where the 'and' comes into play, you can encrypt just a snapshot + you can encrypt the snapshot on restore.

B. SSL/TLS is good for in-transit replication D. as - You can restore an unencrypted snapshot to an encrypted Aurora DB cluster

B,D C: Wrong, you cannot modify an unencrypted to encrypted

A and B .. https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-replicas-adding.html D is incorrect: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_CopySnapshot.html For Amazon Aurora DB cluster snapshots, you can't encrypt an unencrypted DB cluster snapshot when you copy the snapshot.

B and D is correct

B and D are correct choice.

BD B. is obvious. For D. I thought it's possible to directly restore the unencrypted snapshot into an encrypted cluster so somehow one step looks unnecessary. But A, C and E are incorrect so I pick D. by default