Amazon Exam DBS-C01 Topic 3 Question 96 Discussion

Actual exam question for Amazon's DBS-C01 exam

Question #: 96
Topic #: 3

A healthcare company is running an application on Amazon EC2 in a public subnet and using Amazon DocumentDB (with MongoDB compatibility) as the storage layer. An audit reveals that the traffic between the application and Amazon DocumentDB is not encrypted and that the DocumentDB cluster is not encrypted at rest. A database specialist must correct these issues and ensure that the data in transit and the data at rest are encrypted.

Which actions should the database specialist take to meet these requirements? (Select TWO.)

ADownload the SSH RSA public key for Amazon DocumentDB. Update the application configuration to use the instance endpoint instead of the cluster endpoint and run queries over SSH.

BDownload the SSL .pem public key for Amazon DocumentDB. Add the key to the application package and make sure the application is using the key while connecting to the cluster.

CCreate a snapshot of the unencrypted cluster. Restore the unencrypted snapshot as a new cluster with the ---storage-encrypted parameter set to true. Update the application to point to the new cluster.

DCreate an Amazon DocumentDB VPC endpoint to prevent the traffic from going to the Amazon DocumentDB public endpoint. Set a VPC endpoint policy to allow only the application instance's security group to connect.

EActivate encryption at rest using the modify-db-cluster command with the ---storage-encrypted parameter set to true. Set the security group of the cluster to allow only the application instance's security group to connect.

Show Suggested Answer

Suggested Answer: B, C

by Sue at Jun 28, 2024, 10:36 PM

Limited Time Offer

25%

Off

Get Premium DBS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Tawna

5 months ago

Haha, A and D? What is this, the 1990s? We're talking about a modern cloud database, not some ancient on-premise system.

upvoted 0 times

Whitney

4 months ago

E) Activate encryption at rest using the modify-db-cluster command with the ---storage-encrypted parameter set to true. Set the security group of the cluster to allow only the application instance's security group to connect.

upvoted 0 times

...

Deangelo

4 months ago

B) Download the SSL .pem public key for Amazon DocumentDB. Add the key to the application package and make sure the application is using the key while connecting to the cluster.

upvoted 0 times

...

Amber

5 months ago

Creating an Amazon DocumentDB VPC endpoint to control traffic sounds like a good idea too.

upvoted 0 times

...

Valentine

5 months ago

This is a no-brainer. C and E are the clear choices. Restoring an encrypted cluster and setting up encryption at rest - that's the way to go!

upvoted 0 times

...

Jeannetta

5 months ago

A and D? Seriously? Using SSH for database connections is just overkill. And a VPC endpoint won't encrypt the data itself.

upvoted 0 times

Eleonore

4 months ago

Exactly, focusing on encrypting the data itself and controlling access through security groups is the way to go.

upvoted 0 times

...

Donette

4 months ago

True, using SSH for database connections can be unnecessary. Encryption at rest and in transit are the key here.

upvoted 0 times

...

Marshall

5 months ago

upvoted 0 times

...

Matthew

5 months ago

B) Download the SSL .pem public key for Amazon DocumentDB. Add the key to the application package and make sure the application is using the key while connecting to the cluster.

upvoted 0 times

...