Questions 34 to 36

Explanations for questions 34 to 36

We'll cover the following

- Question 34
- Question 35
- Question 36

Question 34

Your company is opening a new office in the Asia Pacific region. Users in the new office will need to read data from an RDS database that is hosted in the U.S. To improve performance, you are planning to implement a Read Replica of the database in the Asia Pacific region. However, your Chief Security Officer (CSO) has explained to you that the company policy dictates that all data that leaves the U.S. must be encrypted at rest. The master RDS DB is not currently encrypted.

What options are available to you? (Select TWO)

You can create an encrypted Read Replica that is encrypted with the same key.
You can create an encrypted Read Replica that is encrypted with a different key.
You can enable encryption for the master DB by creating a new DB from a snapshot with encryption enabled.
You can enable encryption for the master DB through the Management Console.
You can use an ELB to provide an encrypted transport layer in front of the RDS DB.

Correct Answer: 2, 3

Explanation: You can encrypt your Amazon RDS instances and snapshots at rest by enabling the encryption option for your Amazon RDS DB instance when you create it. However, you cannot encrypt an existing DB; you need to create a snapshot, copy it, encrypt the copy, then build an encrypted DB from the snapshot.

Data that is encrypted at rest includes the underlying storage for a DB instance, its automated backups, Read Replicas, and snapshots.

A Read Replica of an Amazon RDS encrypted instance is also encrypted using the same key as the master instance when both are in the same region. When in different regions, a different key can be used.

INCORRECT: “You can create an encrypted Read Replica that is encrypted with the same key.” is incorrect. If the master and Read Replica are in different regions, you encrypt using the encryption key for that region.

CORRECT: “You can create an encrypted Read Replica that is encrypted with a different key.” is the correct answer.

CORRECT: “You can enable encryption for the master DB by creating a new DB from a snapshot with encryption enabled.” is the second correct answer.

INCORRECT: “You can enable encryption for the master DB through the Management Console.” is incorrect as you can only enable encryption when you first create the database.

INCORRECT: “You can use an ELB to provide an encrypted transport layer in front of the RDS DB.” is incorrect as ELBs are not placed in front of RDS instances; they are placed in front of EC2 instances.

References:

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html

Level up your interview prep. Join Educative to access 70+ hands-on prep courses.

Introduction

Getting Started

Compute

Storage

AWS Database

Migration

Networking and Content Delivery

Management Tools

Media Services

Analytics

AWS Security, Identity, & Compliance

Application Integration

AWS Desktop & App Streaming

Wrapping Up

Practice Exam 1

Practice Exam 1 Explanations

Practice Exam 2

Practice Exam 2 Explanations

Practice Exam 3

Practice Exam 3 Explanations

Practice Exam 4

Practice Exam 4 Explanations

Practice Exam 5

Practice Exam 5 Explanations

Practice Exam 6

Practice Exam 6 Explanations

Questions 34 to 36

Question 34