Q58 — AWS SCS-C02 Ch.1

Question 58 of 100 | ← Chapter 1

A company uses Amazon RDS for MySQL as a database engine for its applications. A recent security audit revealed an RDS instance that is not compliant with company policy for encrypting data at rest. A security engineer at the company needs to ensure that all existing RDS databases are encrypted using server-side encryption and that any future deviations from the policy are detected. Which combination of steps should the security engineer take to accomplish this?

Correct Answer: A. Create an AWS Config rule to detect the creation of unencrypted RDS databases. Create an Amazon EventBridge rule to trigger on the AWS Config rules compliance state change and use Amazon Simple Notification Service (Amazon SNS) to notify the security operations team., D. Take a snapshot of the unencrypted RDS database. Copy the snapshot and enable snapshot encryption in the process. Restore the database instance from the newly created encrypted snapshot. Terminate the unencrypted database instance.

Explanation

对于现有未加密的RDS数据库,需先创建快照,复制快照并启用加密生成加密快照,再从加密快照恢复为新实例,最后终止原未加密实例,以此实现存量数据加密,对应选项D。为预防未来出现未加密数据库,要创建AWS Config规则监测新RDS数据库加密状态,检测未加密实例创建行为,同时配置EventBridge规则在Config规则检测到不合规状态变更时,通过SNS通知安全运维团队,对应选项A。