ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 275 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 275
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected.
Which combination of steps should the security engineer take to accomplish this? (Choose two.)

  • A. Create an AWS Config rule to detect the creation of encrypted RDS databases. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to trigger on the AWS Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
  • B. Use AWS System Manager State Manager to detect RDS database encryption configuration drift. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.
  • C. Create a read replica for the existing unencrypted RDS database and enable replica encryption in the process. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.
  • D. Take a snapshot of the unencrypted RDS database. Copy the snapshot and enable snapshot encryption in the process. Restore the database instance from the newly created encrypted snapshot. Terminate the unencrypted database instance.
  • E. Enable encryption for the identified unencrypted RDS instance by changing the configurations of the existing database.
Show Suggested Answer Hide Answer
Suggested Answer: AD 🗳️
by stamford at Aug. 25, 2021, 9:46 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
dumma
Highly Voted 3 years, 8 months ago
A and D
upvoted 17 times
...
kiev
Highly Voted 3 years, 8 months ago
AD indeed. Config, will detect changes to the RDS and you encrypt and unencrypted RDS by creating a snapshot of it and encrypting the snapshot and turn in to the main data base and therefore Ad is good
upvoted 11 times
...
Samno
Most Recent 1 year, 3 months ago
A & D IS CORRECT
upvoted 1 times
...
Raphaello
1 year, 4 months ago
Selected Answer: AD
AD Take snapshot, encrypt, and restore. AWS Config to track drift.
upvoted 1 times
...
sakibmas
2 years, 6 months ago
Selected Answer: AD
To encrypt an unencrypted DB instance with minimal downtime, follow these steps: 1. Encrypt an unencrypted snapshot that you take from an unencrypted read replica of the DB instance. 2. Restore a new DB instance from the encrypted snapshot to deploy a new encrypted DB instance. 3. Use MySQL replication to synchronize changes from the source to the new encrypted DB instance. 4. Verify that the new, encrypted DB instance is in sync with the source DB instance. 5. Switch your connections and redirect your traffic to the new DB instance. Reference: https://aws.amazon.com/premiumsupport/knowledge-center/rds-encrypt-instance-mysql-mariadb/
upvoted 4 times
...
D2
2 years, 7 months ago
Selected Answer: AD
Answer AD
upvoted 2 times
...
Rja148393
2 years, 11 months ago
A and D.. For D part reference : https://aws.amazon.com/premiumsupport/knowledge-center/encrypt-rds-snapshots/
upvoted 1 times
...
ideoignus
3 years, 4 months ago
Selected Answer: AD
A and D
upvoted 3 times
...
lotfi50
3 years, 4 months ago
Selected Answer: AD
A and D
upvoted 4 times
...
LearnMeSomeAWS
3 years, 5 months ago
Agree with A and D. "A" meets notification needs, and "D" is an accepted method to convert an unencrypted RDB to encrypted RDB
upvoted 1 times
...
roger8978
3 years, 6 months ago
A D ................
upvoted 1 times
...
hk436
3 years, 8 months ago
AD is my answer.!
upvoted 3 times
...
CloudMasterGuru
3 years, 8 months ago
A and D for sure
upvoted 2 times
...
stamford
3 years, 9 months ago
I hope its A and D
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel