A company has a PostgreSQL DB instance in Amazon RDS which is not encrypted. As per security policy, data in the RDS instances should be encrypted at rest with AWS KMS.
Which option is correct for RDS DB encryption?

Answer options:

A.Amazon RDS for PostgreSQL DB instance can only be encrypted at creation time and not after its creation. There is no way to achieve this requirement.
B.Take a snapshot of the unencrypted DB instance. Copy the snapshot and encrypt the new snapshot with AWS KMS. Restore the DB instance with the new encrypted snapshot.
C.Take a snapshot of the unencrypted DB instance. Encryption can be enabled by restoring a DB instance from the unencrypted snapshot.
D.Stop the existing RDS instance and encrypt the DB with a KMS CMK.

Answer: B
Option A is incorrect because there is a way to achieve encryption afterward which is given in option
B.Option B is CORRECT. You can enable encryption for an RDS DB instance when you create it, but not after it`s created. However, you can add encryption to an unencrypted DB instance by creating a snapshot of your DB instance and then creating an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot to get an encrypted copy of your original DB instance.
Option C is incorrect because we have to copy and encrypt the snapshot first.
Option D is incorrect because the currently running un-encrypted DB instance cannot be encrypted.
References:
https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/encrypt-an-existing-amazon-rds-for-postgresql-db-instance.html
https://blog.theodo.com/2019/11/encrypt-existing-aws-rds-database/
https://aws.amazon.com/blogs/security/architecting-for-database-encryption-on-aws/