Amazon Exam DBS-C01 Topic 6 Question 94 Discussion

Actual exam question for Amazon's DBS-C01 exam

Question #: 94
Topic #: 6

A healthcare company is running an application on Amazon EC2 in a public subnet and using Amazon DocumentDB (with MongoDB compatibility) as the storage layer. An audit reveals that the traffic between the application and Amazon DocumentDB is not encrypted and that the DocumentDB cluster is not encrypted at rest. A database specialist must correct these issues and ensure that the data in transit and the data at rest are encrypted.

Which actions should the database specialist take to meet these requirements? (Select TWO.)

ADownload the SSH RSA public key for Amazon DocumentDB. Update the application configuration to use the instance endpoint instead of the cluster endpoint and run queries over SSH.

BDownload the SSL .pem public key for Amazon DocumentDB. Add the key to the application package and make sure the application is using the key while connecting to the cluster.

CCreate a snapshot of the unencrypted cluster. Restore the unencrypted snapshot as a new cluster with the ---storage-encrypted parameter set to true. Update the application to point to the new cluster.

DCreate an Amazon DocumentDB VPC endpoint to prevent the traffic from going to the Amazon DocumentDB public endpoint. Set a VPC endpoint policy to allow only the application instance's security group to connect.

EActivate encryption at rest using the modify-db-cluster command with the ---storage-encrypted parameter set to true. Set the security group of the cluster to allow only the application instance's security group to connect.

Show Suggested Answer

Suggested Answer: B, C

by Jolene at Jun 01, 2024, 09:34 PM

Limited Time Offer

25%

Off

Get Premium DBS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Wynell

5 months ago

I like how C and E both focus on encrypting the data, either by restoring or modifying the cluster. Seems like the most robust solutions to the problem.

upvoted 0 times

...

Dorthy

5 months ago

Ha! Downloading an SSH key for a managed service like DocumentDB? That's like trying to dig a tunnel to China. Definitely not the right way to go about this.

upvoted 0 times

Essie

4 months ago

B: E) Activate encryption at rest using the modify-db-cluster command with the ---storage-encrypted parameter set to true. Set the security group of the cluster to allow only the application instance's security group to connect.

upvoted 0 times

...

Wilburn

4 months ago

A: B) Download the SSL .pem public key for Amazon DocumentDB. Add the key to the application package and make sure the application is using the key while connecting to the cluster.

upvoted 0 times

...

Junita

5 months ago

D and E both sound like good options to secure the connection. Creating a VPC endpoint and restricting access with a security group policy is a nice approach.

upvoted 0 times

Carol

4 months ago

Yes, setting encryption at rest and controlling access through security groups seems like a solid plan.

upvoted 0 times

...

Theodora

5 months ago

Creating a VPC endpoint and restricting access with a security group policy is a nice approach.

upvoted 0 times

...

Nieves

5 months ago

D and E both sound like good options to secure the connection.

upvoted 0 times

...

Silva

5 months ago

I agree with you, Cletus. We also need to create an Amazon DocumentDB VPC endpoint to secure the traffic.

upvoted 0 times

...

Cletus

5 months ago

I think we should definitely activate encryption at rest for the Amazon DocumentDB cluster.

upvoted 0 times

...

Twana

5 months ago

I'm not sure about using SSH for the connection. Isn't that a bit of a hacky solution? B looks like the better option for encrypting the data in transit.

upvoted 0 times

...

Melita

5 months ago

Option C seems the most straightforward way to encrypt the data at rest. Restoring the cluster with encryption enabled is a clean solution.

upvoted 0 times

Glory

5 months ago

E) Activate encryption at rest using the modify-db-cluster command with the ---storage-encrypted parameter set to true. Set the security group of the cluster to allow only the application instance's security group to connect.

upvoted 0 times

...

Cherry

5 months ago

B) Download the SSL .pem public key for Amazon DocumentDB. Add the key to the application package and make sure the application is using the key while connecting to the cluster.

upvoted 0 times

...

Donte

5 months ago

upvoted 0 times

...

Tashia

5 months ago

I agree, Option E is also important to activate encryption at rest. We need to make sure data is secure both in transit and at rest.

upvoted 0 times

...

Ashanti

5 months ago

Yes, activating encryption at rest during the restore process is a simple and effective solution.

upvoted 0 times

...

Rodney

5 months ago

I agree, that seems like the most efficient way to ensure the data at rest is encrypted.

upvoted 0 times

...

Lucina

5 months ago

B) Download the SSL .pem public key for Amazon DocumentDB. Add the key to the application package and make sure the application is using the key while connecting to the cluster.

upvoted 0 times

...

Narcisa

5 months ago

Option C is definitely a good choice. Restoring the cluster with encryption enabled is a clean solution.

upvoted 0 times

...

Lashandra

5 months ago

Option C is definitely the way to go. Restoring the cluster with encryption enabled is the best approach.

upvoted 0 times

...