Question #1429
A company is launching a new set of Amazon EC2 instances for a critical application. The application requires that all Amazon Elastic Block Store (EBS) volumes attached to these instances must be encrypted at rest to comply with security policies. Which approach guarantees that all EBS volumes used by the instances are encrypted?
Assign an IAM policy to the EC2 instances that mandates EBS encryption. Attach the policy to the instances' IAM role.
Provision the EBS volumes with encryption enabled during creation and attach them to the EC2 instances.
Configure an AWS KMS key policy to automatically encrypt all EBS volumes in the AWS account. Activate the policy for all EC2 instances.
Apply a resource tag with the key 'Encryption' and value 'Enabled' to all EC2 instances. Enable EBS encryption based on the tag.
Explanation
Option B is correct because provisioning EBS volumes with encryption enabled during creation guarantees encryption at rest. This approach directly controls the encryption setting, ensuring compliance without relying on external configurations.
Option A is incorrect because IAM policies control permissions but do not enforce encryption settings during EBS volume creation. Option C is invalid as KMS key policies manage access to keys, not encryption enforcement. Option D is incorrect because AWS does not support enabling EBS encryption via resource tags. Key points: EBS encryption must be explicitly enabled during volume creation or via account-level default encryption settings. Manually enabling encryption (B) is the most reliable method.
Answer
The correct answer is: B