A company released a new software-as-a-service (SaaS) application that is receiving significant adoption by end users. The rds-storage-encrypted AWS Config managed rule generates an alert that notifies the company’s security team about a resource that is not compliant. The noncompliant resource is an Amazon RDS for MySQL database that was deployed as part of the newly released application. How can the security team resolve the noncompliance with the LEAST disruption of application availability for the end users?

Topic #: - All AWS Certified Security - Specialty Questions

A. Use AWS Database Migration Service (AWS DMS) with full load and change data capture (CDC) between the noncompliant database and a new database with storage encrypted. When full load is finished, cut over any application endpoints to the new encrypted database.
B. Create a snapshot of the noncompliant DB instance. Make a copy of the snapshot in the same AWS Region with encryption configured. Restore the snapshot as a new DB instance. Cut over any application endpoints to the newly restored database.
C. Deploy a patch to the application to stop writing to the noncompliant database. Enable storage encryption by using the AWS CLI. Patch the application again to restore writing to the database.
D. Add a read replica to the noncompliant DB instance. Enable storage encryption on the read replica. When the read replica is available, cut over from the writer DB instance to the read replica. Delete the unencrypted DB instance after the cutover.

- Awsexamhub website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Suggested Answer:

Reference Material:

Suggested Answer:

Reference Material:

Share this post

Join the Discussion