Complying with IT Security: Encrypting Data at Rest on AWS RDS Instance
Question
Your company has an existing RDS Instance-MySQL with data already in place.
The IT Security department is now mandating that all data be encrypted at rest.
Which of the following are options you can take to comply with this requirement? Choose 2 answers from the options given below.
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.Correct Answers: B and C.
The AWS Documentation mentions the following.
You can only enable encryption for an Amazon RDS DB instance when you create it, not after the DB instance is created.
However, because you can encrypt a copy of an unencrypted DB snapshot, you can effectively add encryption to an unencrypted DB instance.
You can create a snapshot of your DB instance and then create an encrypted copy of that snapshot.
You can then restore a DB instance from the encrypted snapshot, and thus you have an encrypted copy of your original DB instance.
Since this is clearly mentioned in the AWS documentation, all other options are incorrect.
For more information on metrics for RDS, please visit the below URL-
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.htmlTo comply with the IT Security department's requirement of encrypting data at rest in an existing RDS Instance-MySQL, there are a few options available. Two of them are mentioned below:
A. Enable encryption for the existing database: You can enable encryption for an existing database instance by modifying its settings. To do this, follow these steps:
Go to the Amazon RDS console, select the DB instance, and choose Modify.
Under Encryption, choose Enable Encryption.
Choose an existing KMS key or create a new one.
Choose Apply Immediately, and then choose Modify DB Instance.
The modification process will start and may take a few minutes to complete, depending on the size of the database instance.
B. Recreate a new DB with encryption enabled. Copy the existing data to the new DB: Another option is to create a new DB with encryption enabled and copy the existing data to the new DB. To do this, follow these steps:
Create a new DB instance with encryption enabled.
Take a snapshot of the existing DB.
Restore the snapshot to the new DB instance.
After the restore is complete, connect to the new DB instance and verify that the data is intact.
Update the application configuration to use the new DB instance.
C. Create a snapshot of the existing DB: This option only creates a backup of the database instance, but does not encrypt the data at rest.
D. Create an encrypted copy of that snapshot and use it to recreate the existing database: This option involves creating an encrypted copy of the snapshot created in option C and using it to create a new DB instance. Once the new DB instance is created, the data can be migrated to it. This option is similar to option B, but the difference is that you are creating an encrypted copy of the snapshot first.
E. Create a snapshot of the existing EBS volumes. Create an encrypted copy of that snapshot: This option only creates a backup of the EBS volumes, but does not encrypt the data at rest.
Out of the above options, options A and B are the most appropriate for complying with the IT Security department's requirement of encrypting data at rest in an existing RDS Instance-MySQL. Option A is the simplest as it involves modifying the existing database instance, whereas option B involves creating a new DB instance and copying the data to it.
