Logo
AWS Certified Solutions Architect - Professional / Question #1047 of 529

Question #1047

A company identified multiple unencrypted Amazon EBS volumes attached to EC2 instances across their AWS environment. They need an automated solution to encrypt these volumes and ensure all future EBS volumes are encrypted by default. Which approach meets these requirements?

A

Configure an AWS Config managed rule to detect unencrypted EBS volumes. Set up automatic remediation using a Systems Manager Automation runbook to create encrypted replacements. Create an SCP to explicitly deny the creation of unencrypted EBS volumes.
B

Use AWS Systems Manager Inventory to list unencrypted EBS volumes. Create a Systems Manager Automation runbook to encrypt the volumes. Modify the AWS account setting to enable default EBS encryption for all new volumes.
C

Configure an AWS Config managed rule to identify unencrypted EBS volumes. Enable automatic remediation with a Systems Manager Automation runbook to replace them with encrypted volumes. Modify the AWS account setting to enforce EBS encryption by default for all new volumes.
D

Create a Lambda function to scan and encrypt unencrypted EBS volumes. Use a KMS key policy to deny the creation of unencrypted EBS volumes. Enable AWS Config to monitor compliance.

Explanation

Option C is correct because:
1. AWS Config Managed Rule: Continuously monitors and identifies unencrypted EBS volumes, ensuring real-time compliance checks.
2. Systems Manager Automation: Automatically remediates by replacing unencrypted volumes with encrypted ones, resolving existing issues.
3. Default EBS Encryption: Modifying AWS account settings enforces encryption for all new EBS volumes by default, preventing future unencrypted volumes.

Other options are incorrect because:
- A: SCPs can block unencrypted volume creation but do not enforce default encryption, leaving gaps if permissions are misconfigured.
- B: SSM Inventory lacks real-time compliance monitoring compared to AWS Config.
- D: KMS key policies cannot enforce EBS encryption defaults, and Lambda requires custom scripting versus managed services.

Key Points: Use AWS Config for compliance monitoring, Systems Manager for remediation, and account-level settings for default encryption to meet both remediation and prevention requirements.

Answer

The correct answer is: C