Question #849
A company's security audit discovered that newly created Amazon EBS volumes are unencrypted. A solutions architect must ensure all future EBS volumes are encrypted with the LEAST operational overhead. Which solution meets this requirement?
Create an Amazon CloudWatch Events rule to trigger an AWS Lambda function that encrypts newly created unencrypted EBS volumes.
Use AWS Security Hub to monitor and enforce EBS encryption compliance.
Implement an AWS Config rule to detect unencrypted EBS volumes and remediate using AWS Systems Manager Automation.
Enable EBS encryption by default in the AWS account settings for all Regions.
Explanation
Answer D is correct because AWS allows enabling EBS encryption by default at the account level. This setting automatically encrypts all new EBS volumes across all regions, requiring no additional automation or monitoring. Options A and C involve reactive remediation (encrypting after creation) and add operational complexity. Option B (Security Hub) monitors compliance but does not enforce encryption. Enabling default encryption (D) is proactive, simple, and aligns with AWS best practices. Key point: Use AWS account settings for encryption defaults to minimize overhead.
Answer
The correct answer is: D