A DevOps engineer has used a CloudFormation template to create an RDS resource for a new web application.
The RDS database has used the engine of PostgreSQL, and the encryption is not enabled.
However, for certain security considerations, the database needs to be updated to enable encryption.
The CloudFormation template is updated accordingly (StorageEncrypted is true)
To prevent data loss during the CloudFormation stack update, the data should be restored from the latest DB snapshot.
Which two steps should be taken in combination to meet this requirement? (Select TWO.)
Click on the arrows to vote for the correct answer
A. B. C. D. E.Correct Answer - B, D.
When StorageEncrypted is modified, and the CloudFormation is updated, the DB instance is deleted and replaced with a new one.
Check https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-dbsnapshotidentifier for details.
In the meantime, the CloudFormation template needs to use DBSnapshotIdentifier to point to the DB snapshot which the CloudFormation stack will use.
Option A is incorrect: Because if a DB instance is deleted or replaced during an update, AWS CloudFormation deletes all automated snapshots.
However, it retains manual DB snapshots.
Refer the link: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html.
Option B is CORRECT: Because the manual snapshot can preserve the data well, and the snapshot ARN will be used by the CloudFormation template.
Refer to option.
D.Option C is incorrect: Because the original DB instance is not used anymore.
A new instance is required in which the encryption is enabled.
So this option does not help to resolve the problem.
Option D is CORRECT: Because AWS CloudFormation creates a new database from the specified snapshot according to DBSnapshotIdentifier.
Please refer to https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-dbsnapshotidentifier for the recommended approaches when updating DB instances.
Option E is incorrect: Because this option only takes a snapshot before tearing down the original DB instance.
Instead, a manual snapshot is required, and its ARN should be provided to the CloudFormation template.
To enable encryption on an RDS instance in a CloudFormation stack without data loss, you need to perform the following two steps:
Therefore, answer B is correct: deactivate any applications that are using the DB instance and then create a manual snapshot.
Answer A is incorrect: while it's always a good idea to ensure that automated snapshots are working correctly, in this scenario, we need to take a manual snapshot.
Therefore, answer D is correct: add the DBSnapshotIdentifier property with the ID of the used DB snapshot.
In addition, to prevent accidental deletion of the RDS instance, you can add a Stack Policy in the CloudFormation stack that prevents the resource from being deleted. This ensures that the RDS instance is not accidentally deleted during the stack update.
Therefore, answer C is also correct: add a Stack Policy in the CloudFormation stack to prevent the DB resource from being deleted.
However, answer E is not necessary for this scenario. DeletionPolicy of Snapshot is used when deleting a CloudFormation stack and specifying what to do with the resources that are created by the stack. It is not relevant when updating the stack, as we are not deleting any resources.