Logo
AWS Certified Solutions Architect - Professional / Question #899 of 529

Question #899

A company has multiple AWS accounts. A recent security audit identified several unencrypted Amazon RDS database instances. A solutions architect must encrypt these instances and ensure that any future unencrypted instances are automatically detected. The solution must enable centralized management of multiple accounts with an emphasis on compliance and security.

Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

A

Create an organization in AWS Organizations. Set up AWS Control Tower and enable the strongly recommended guardrails. Enroll all accounts into the organization and organize them into appropriate organizational units (OUs).
B

Use the AWS CLI to identify all unencrypted RDS instances across all accounts. Execute a script to modify each instance to enable encryption without downtime.
C

For each unencrypted RDS instance, create a snapshot, encrypt the snapshot during copy, restore the encrypted snapshot as a new RDS instance, and replace the original instance with the new encrypted one.
D

Enable AWS Config in all accounts and configure a managed rule to check for unencrypted RDS instances. Use Amazon SNS to notify administrators when non-compliant instances are detected.
E

Implement AWS CloudTrail logging across all accounts. Create an Amazon EventBridge rule that triggers an AWS Lambda function to encrypt any newly created unencrypted RDS instances.

Explanation

Answer A ensures centralized management and compliance by using AWS Control Tower's guardrails, which enforce encryption policies across all accounts, preventing future unencrypted RDS instances. Answer C provides the correct method to remediate existing unencrypted RDS instances by creating an encrypted snapshot and restoring it.

Other options are incorrect: B suggests modifying RDS instances directly, which isn't possible without downtime and snapshot restoration. D (AWS Config) detects unencrypted instances but doesn't prevent them, and Control Tower's guardrails already include detection. E uses reactive automation, which is less efficient than proactive prevention via guardrails.

Answer

The correct answer is: AC