A company utilizes Amazon RDS for MySQL to power their applications. A recent security audit identified an RDS instance that does not adhere to the company's policy mandating encryption of data at rest. The security engineer is tasked with ensuring that all existing RDS databases are encrypted using server-side encryption and that any future instances not conforming to this policy are promptly identified. What two actions should the security engineer implement to achieve this goal?

Exam-Like

Create an AWS Config rule to detect the creation of unencrypted RDS databases. Create an Amazon EventBridge rule to trigger on the AWS Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.

50.0%

Use AWS System Manager State Manager to detect RDS database encryption configuration drift. Create an Amazon EventBridge rule to track state changes and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team.

0.0%

Create a read replica for the existing unencrypted RDS database and enable replica encryption in the process. Once the replica becomes active, promote it into a standalone database instance and terminate the unencrypted database instance.

21.4%

Take a snapshot of the unencrypted RDS database. Copy the snapshot and enable snapshot encryption in the process. Restore the database instance from the newly created encrypted snapshot. Terminate the unencrypted database instance.

28.6%

AWS Certified Security - Specialty

Get started today

Comments