ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 461 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 461
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company released a new software-as-a-service (SaaS) application that is receiving significant adoption by end users. The rds-storage-encrypted AWS Config managed rule generates an alert that notifies the company’s security team about a resource that is not compliant. The noncompliant resource is an Amazon RDS for MySQL database that was deployed as part of the newly released application.

How can the security team resolve the noncompliance with the LEAST disruption of application availability for the end users?

  • A. Use AWS Database Migration Service (AWS DMS) with full load and change data capture (CDC) between the noncompliant database and a new database with storage encrypted. When full load is finished, cut over any application endpoints to the new encrypted database.
  • B. Create a snapshot of the noncompliant DB instance. Make a copy of the snapshot in the same AWS Region with encryption configured. Restore the snapshot as a new DB instance. Cut over any application endpoints to the newly restored database.
  • C. Deploy a patch to the application to stop writing to the noncompliant database. Enable storage encryption by using the AWS CLI. Patch the application again to restore writing to the database.
  • D. Add a read replica to the noncompliant DB instance. Enable storage encryption on the read replica. When the read replica is available, cut over from the writer DB instance to the read replica. Delete the unencrypted DB instance after the cutover.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by D2 at Nov. 29, 2022, 11:25 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Raphaello
1 year, 4 months ago
Selected Answer: A
Both A & B are right to achieve same goal. However, A is least disruptive https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/encrypt-an-existing-amazon-rds-for-postgresql-db-instance.html#encrypt-an-existing-amazon-rds-for-postgresql-db-instance-summary ---- However, if your project doesn’t allow for significant downtime for this activity, you need an alternate approach that helps minimize the downtime. This pattern uses the AWS Database Migration Service (AWS DMS) to migrate and continuously replicate the data so that the cutover to the new, encrypted database can be done with minimal downtime. ----
upvoted 1 times
...
Green53
2 years ago
Selected Answer: A
Both A and B are possible, but A will have the least disruption. C is nonesense, encryption can't be added after the fact. D is the same, replicas would not be encrypted.
upvoted 2 times
...
danielklein09
2 years, 1 month ago
Selected Answer: D
In practice you will use D
upvoted 1 times
Tofu13
2 years ago
RRs have the same Encryption Type as the DB they are replicated from. Non-encrypted DB will result in non-encrypted RR -> D is impossible (atm). https://repost.aws/knowledge-center/rds-encrypt-instance-mysql-mariadb
upvoted 2 times
...
...
sammore3
2 years, 4 months ago
Selected Answer: A
if your project doesn’t allow for significant downtime for this activity, you need an alternate approach that helps minimize the downtime. This pattern uses the AWS Database Migration Service (AWS DMS) to migrate and continuously replicate the data so that the cutover to the new, encrypted database can be done with minimal downtime. https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/encrypt-an-existing-amazon-rds-for-postgresql-db-instance.html
upvoted 2 times
...
jishrajesh
2 years, 6 months ago
Selected a
upvoted 2 times
...
Teknoklutz
2 years, 6 months ago
Selected Answer: A
DMS - Less Disruptive
upvoted 1 times
...
kwch791
2 years, 6 months ago
Selected Answer: A
Answer A - LEAST disruptive
upvoted 3 times
...
aj2aj2
2 years, 6 months ago
Answer A AWS DMS – You can use AWS Database Migration Service (AWS DMS) to replicate changes from the source DB to the target DB. It is important to keep the source and target DB in sync to keep downtime to a minimum. https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/encrypt-an-existing-amazon-rds-for-postgresql-db-instance.html
upvoted 3 times
...
D2
2 years, 6 months ago
Selected Answer: A
Answer A - LEAST disruptive
upvoted 2 times
Wilson_S
2 years, 6 months ago
https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/encrypt-an-existing-amazon-rds-for-postgresql-db-instance.html
upvoted 1 times
...
...
kerar
2 years, 7 months ago
Selected Answer: B
However, you can add encryption to an unencrypted RDS DB instance by creating a snapshot of your DB instance, and then creating an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot to get an encrypted copy of your original DB instance. https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-remediate-unencrypted-amazon-rds-db-instances-and-clusters.html
upvoted 1 times
...
D2
2 years, 7 months ago
Both A and B are correct. However, A is LEAST disruptive (B has higher downtime than A)
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel