Amazon Exam DBS-C01 Topic 6 Question 98 Discussion

Actual exam question for Amazon's DBS-C01 exam

Question #: 98
Topic #: 6

A healthcare company is running an application on Amazon EC2 in a public subnet and using Amazon DocumentDB (with MongoDB compatibility) as the storage layer. An audit reveals that the traffic between the application and Amazon DocumentDB is not encrypted and that the DocumentDB cluster is not encrypted at rest. A database specialist must correct these issues and ensure that the data in transit and the data at rest are encrypted.

Which actions should the database specialist take to meet these requirements? (Select TWO.)

ADownload the SSH RSA public key for Amazon DocumentDB. Update the application configuration to use the instance endpoint instead of the cluster endpoint and run queries over SSH.

BDownload the SSL .pem public key for Amazon DocumentDB. Add the key to the application package and make sure the application is using the key while connecting to the cluster.

CCreate a snapshot of the unencrypted cluster. Restore the unencrypted snapshot as a new cluster with the ---storage-encrypted parameter set to true. Update the application to point to the new cluster.

DCreate an Amazon DocumentDB VPC endpoint to prevent the traffic from going to the Amazon DocumentDB public endpoint. Set a VPC endpoint policy to allow only the application instance's security group to connect.

EActivate encryption at rest using the modify-db-cluster command with the ---storage-encrypted parameter set to true. Set the security group of the cluster to allow only the application instance's security group to connect.

Show Suggested Answer

Suggested Answer: B, C

by Eladia at Jul 16, 2024, 11:41 AM

Limited Time Offer

25%

Off

Get Premium DBS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Tabetha

6 days ago

Wow, this is a tough one. I'm going to have to go with C and E. Encrypting the data at rest and updating the application to use the new cluster seems like the way to go. Though I do wonder if the database specialist has any experience with 'magic the gathering' - that might come in handy here!

upvoted 0 times

...

Gaston

15 days ago

And we should make sure to update the security group of the cluster to only allow connections from the application instance's security group.

upvoted 0 times

...

Mari

16 days ago

Yes, we can do that by setting the ---storage-encrypted parameter to true using the modify-db-cluster command.

upvoted 0 times

...

Novella

17 days ago

We should also activate encryption at rest for the data in Amazon DocumentDB.

upvoted 0 times

...

Carlee

17 days ago

C and D for sure! Creating an encrypted snapshot and restoring it, along with setting up a VPC endpoint to secure the connection, sounds like the best approach to me.

upvoted 0 times

...

Vernell

27 days ago

I'd say B and E are the right choices. Downloading the SSL .pem key and adding it to the application, and then modifying the cluster to enable encryption at rest, should do the trick.

upvoted 0 times

Mitsue

3 days ago

Agreed, downloading the SSL .pem key and enabling encryption at rest should secure the data.

upvoted 0 times

...

Fletcher

11 days ago

I think B and E are the best options.

upvoted 0 times

...

Renato

1 months ago

Hmm, I think options C and E are the way to go here. We need to encrypt the data at rest and in transit, so restoring an encrypted snapshot and modifying the cluster to enable encryption at rest seem like the best solutions.

upvoted 0 times