AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company is running an online transaction processing (OLTP) workload on AWS. This workload uses an unencrypted Amazon RDS DB instance in a Multi-AZ deployment. Daily database snapshots are taken from this instance.

What should a solutions architect do to ensure the database and snapshots are always encrypted moving forward?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Encrypt a copy of the latest DB snapshot. Replace existing DB instance by restoring the encrypted snapshot.

Create a new encrypted Amazon Elastic Block Store (Amazon EBS) volume and copy the snapshots to it. Enable encryption on the DB instance.

Copy the snapshots and enable encryption using AWS Key Management Service (AWS KMS). Restore encrypted snapshot to an existing DB instance.

Copy the snapshots to an Amazon S3 bucket that is encrypted using server-side encryption with AWS Key Management Service (AWS KMS) managed keys (SSE-KMS).

Explanation:

Explanation

Correct Answer: A

To encrypt an existing unencrypted RDS DB instance, you must:

Take a snapshot of the unencrypted DB instance
Copy that snapshot and enable encryption during the copy process using AWS KMS
Restore the encrypted snapshot to create a new encrypted DB instance
Replace the original unencrypted instance with the new encrypted instance

Why Option A is correct:

This follows AWS best practices for encrypting existing unencrypted RDS instances
The process creates an encrypted copy of the latest snapshot, then restores it to replace the existing instance
This ensures both the database and future snapshots will be encrypted

Why other options are incorrect:

Option B: RDS doesn't use EBS volumes directly in this manner. You cannot simply copy snapshots to EBS volumes and enable encryption on the DB instance. RDS encryption must be enabled at creation time or through the snapshot copy/restore process.

Option C: You cannot restore an encrypted snapshot to an existing DB instance. You must create a new DB instance from the encrypted snapshot. The phrase "restore encrypted snapshot to an existing DB instance" is incorrect.

Option D: Copying snapshots to S3 doesn't encrypt the RDS instance itself. While S3 encryption protects the snapshot copy in S3, it doesn't address the encryption requirement for the live RDS database or its native snapshots.

Key AWS Concepts:

RDS encryption can only be enabled when creating a new DB instance or when restoring from a snapshot
To encrypt an existing unencrypted RDS instance, you must use the snapshot copy/restore method
Once encrypted, all future snapshots will automatically be encrypted
Multi-AZ deployments maintain encryption across both primary and standby instances

Powered ByGPT-5.2

Comments

Loading comments...