AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A production account (1111) hosts a business-critical Amazon RDS for PostgreSQL Multi-AZ DB instance in the us-east-1 Region. A new compliance mandate requires that:
Encrypted backups must be retained for at least 35 days in a dedicated disaster-recovery (DR) account (2222) that belongs to the same AWS Organization.
The DR backups must reside in the us-west-2 Region so they are isolated from the primary Region.
Administrators in the DR account must be able to restore the database without assistance from the production account.
The solution must rely on managed AWS capabilities and minimize ongoing manual work.
A recovery point objective (RPO) of 24 hours is acceptable.
Which approach meets these requirements with the LEAST operational overhead?
Use AWS Backup in the production account to define a single copy rule that sends daily RDS backups directly to a backup vault in the DR account in us-west-2 with a 35-day retention period.
Enable cross-Region automated backups replication on the RDS instance from us-east-1 to us-west-2 and manually share each replicated backup with the DR account. Set the backup retention period to 35 days in us-west-2.
Create a cross-Region read replica of the RDS instance in the DR account in us-west-2 and rely on the replica's automated backups, configured for 35-day retention, to satisfy the compliance mandate.
In the production account, create an AWS Backup plan that performs daily snapshot backups of the RDS instance and copies them to a backup vault in the DR account in us-east-1. In the DR account, configure a second AWS Backup plan that automatically copies those snapshots to a backup vault in us-west-2 with a 35-day retention policy. Use customer-managed CMKs shared between the accounts for encryption.
AWS Backup can automate snapshot creation and retention while handling encryption keys. For Amazon RDS snapshots, a single copy job can be either cross-account or cross-Region, but not both. The simplest compliant design therefore uses two managed copy rules:
A daily backup plan in the production account copies each snapshot to a backup vault that resides in the DR account but stays in the same Region (us-east-1).
A second backup plan that runs in the DR account automatically copies the incoming snapshots to a vault in us-west-2 and sets the 35-day retention.
Because the snapshots end up in the DR account, operators there can restore the database independently. All steps are fully managed once the plans and customer-managed CMKs are in place, so operational effort is minimal.
The alternative proposals fail at least one requirement:
Cross-Region automated backups replicate only inside the same account and still need manual snapshot sharing, increasing effort.
A cross-Region read replica provides replication, not immutable backups, and retention is lost if the replica is removed.
A single AWS Backup rule that is simultaneously cross-account and cross-Region is not supported for RDS snapshots.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
How do cross-account and cross-Region snapshot backups work in AWS Backup?
Open an interactive chat with Bash
What role do customer-managed CMKs play in cross-account backups?
Open an interactive chat with Bash
Why is a cross-Region read replica insufficient for compliance mandates involving immutable backups?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design Solutions for Organizational Complexity
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access