How to Enable Encryption and Restore Data in AWS RDS

Correct Answer - B, D.

When StorageEncrypted is modified, and the CloudFormation is updated, the DB instance is deleted and replaced with a new one.

Check https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-dbsnapshotidentifier for details.

In the meantime, the CloudFormation template needs to use DBSnapshotIdentifier to point to the DB snapshot which the CloudFormation stack will use.

Option A is incorrect: Because if a DB instance is deleted or replaced during an update, AWS CloudFormation deletes all automated snapshots.

However, it retains manual DB snapshots.

Refer the link: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html.

Option B is CORRECT: Because the manual snapshot can preserve the data well, and the snapshot ARN will be used by the CloudFormation template.

Refer to option.

D.Option C is incorrect: Because the original DB instance is not used anymore.

A new instance is required in which the encryption is enabled.

So this option does not help to resolve the problem.

Option D is CORRECT: Because AWS CloudFormation creates a new database from the specified snapshot according to DBSnapshotIdentifier.

Please refer to https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-dbsnapshotidentifier for the recommended approaches when updating DB instances.

Option E is incorrect: Because this option only takes a snapshot before tearing down the original DB instance.

Instead, a manual snapshot is required, and its ARN should be provided to the CloudFormation template.

To enable encryption on an RDS instance in a CloudFormation stack without data loss, you need to perform the following two steps:

1. Take a manual DB snapshot: Before updating the CloudFormation stack, take a manual snapshot of the current RDS instance. This snapshot will serve as a backup in case anything goes wrong during the update process. To take a manual snapshot, you should deactivate any applications that are using the DB instance to prevent any changes from occurring during the snapshot creation. Once the snapshot is complete, record the DBSnapshotIdentifier for use in the CloudFormation stack update.

Therefore, answer B is correct: deactivate any applications that are using the DB instance and then create a manual snapshot.

Answer A is incorrect: while it's always a good idea to ensure that automated snapshots are working correctly, in this scenario, we need to take a manual snapshot.

2. Update the CloudFormation stack: After taking a manual snapshot, update the CloudFormation stack to enable encryption on the RDS instance. When updating the stack, specify the DBSnapshotIdentifier property with the ID of the snapshot that you took in step 1. This ensures that the update process restores data from the snapshot before applying the encryption changes.

Therefore, answer D is correct: add the DBSnapshotIdentifier property with the ID of the used DB snapshot.

In addition, to prevent accidental deletion of the RDS instance, you can add a Stack Policy in the CloudFormation stack that prevents the resource from being deleted. This ensures that the RDS instance is not accidentally deleted during the stack update.

Therefore, answer C is also correct: add a Stack Policy in the CloudFormation stack to prevent the DB resource from being deleted.

However, answer E is not necessary for this scenario. DeletionPolicy of Snapshot is used when deleting a CloudFormation stack and specifying what to do with the resources that are created by the stack. It is not relevant when updating the stack, as we are not deleting any resources.