AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct approach involves automating the copy of an RDS snapshot to the disaster recovery (DR) region and re-encrypting it with a KMS key local to that region. AWS KMS keys are regional resources, so a key from us-east-1 cannot be used to encrypt or decrypt resources in us-west-2. When copying an encrypted snapshot across regions, you must specify a KMS key in the destination region to encrypt the new snapshot copy. This method aligns with the backup and restore DR strategy, which is the most cost-effective solution for the given RPO of 24 hours and RTO of 4 hours.

• The option to use a cross-region read replica describes a warm standby or pilot light approach. This is more expensive than necessary for the specified RPO and RTO. Furthermore, standard KMS keys cannot be replicated; you would need to create a multi-region key, which is a different and more complex setup.
• The option suggesting the use of the original KMS key from us-east-1 in the us-west-2 region is incorrect because KMS keys are region-specific.
• The option to copy the snapshot object directly to an S3 bucket is incorrect. The proper method is to use the CopyDBSnapshot API action (or the equivalent console/AWS Backup function), which handles the transfer and re-encryption. You do not manually copy the underlying snapshot files to S3 for this purpose.