Answer: Encrypt a copy of the latest DB snapshot. Replace existing DB instance by restoring the encrypted snapshot.

## Explanation **Correct Answer: A** To encrypt an existing unencrypted RDS DB instance, you must: 1. Take a snapshot of the unencrypted DB instance 2. Copy that snapshot and enable encryption during the copy process using AWS KMS 3. Restore the encrypted snapshot to create a new encrypted DB instance 4. Replace the original unencrypted instance with the new encrypted instance **Why Option A is correct:** - This follows AWS best practices for encrypting existing unencrypted RDS instances - The process creates an encrypted copy of the latest snapshot, then restores it to replace the existing instance - This ensures both the database and future snapshots will be encrypted **Why other options are incorrect:** **Option B:** RDS doesn't use EBS volumes directly in this manner. You cannot simply copy snapshots to EBS volumes and enable encryption on the DB instance. RDS encryption must be enabled at creation time or through the snapshot copy/restore process. **Option C:** You cannot restore an encrypted snapshot to an existing DB instance. You must create a new DB instance from the encrypted snapshot. The phrase "restore encrypted snapshot to an existing DB instance" is incorrect. **Option D:** Copying snapshots to S3 doesn't encrypt the RDS instance itself. While S3 encryption protects the snapshot copy in S3, it doesn't address the encryption requirement for the live RDS database or its native snapshots. **Key AWS Concepts:** - RDS encryption can only be enabled when creating a new DB instance or when restoring from a snapshot - To encrypt an existing unencrypted RDS instance, you must use the snapshot copy/restore method - Once encrypted, all future snapshots will automatically be encrypted - Multi-AZ deployments maintain encryption across both primary and standby instances

Author: LeetQuiz Editorial Team