A solutions architect wants to ensure that all new Amazon EBS volumes created in a specific AWS Region are encrypted by default. How can this be achieved with the LEAST operational overhead?

Answer options:

Create an IAM policy that denies the ec2:CreateVolume action if the volume is not encrypted.

Enable the 'EBS Encryption by Default' setting in the EC2 console for the Region.

Use AWS Config to detect unencrypted volumes and trigger a Lambda function to encrypt them.

Create a custom AWS CloudFormation macro to enforce encryption on all EBS volumes.

How to approach this question

Look for native account-level settings that enforce compliance automatically.

Full Answer

B.Enable the 'EBS Encryption by Default' setting in the EC2 console for the Region.✓ Correct

Enable the 'EBS Encryption by Default' setting in the EC2 console for the Region.

You can configure your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create. By enabling 'EBS Encryption by Default' for a Region, all new volumes are automatically encrypted using the default KMS key or a key you specify.

Common mistakes

Overcomplicating the solution with IAM policies or AWS Config when a native setting exists.

Question 17 All questions Question 19

Practice the full AWS SAA-C03 Practice Exam 1

65 questions · hints · full answers · grading

More questions from this exam

Q01A company has multiple AWS accounts in an AWS Organizations organization. The security team wants...Medium Q02A solutions architect is designing an application that will run on Amazon EC2 instances. The appl...Easy Q03A company wants to implement a federated identity solution for its employees to access the AWS Ma...Medium Q04A mobile application needs to access Amazon DynamoDB directly to read user-specific data. The app...Hard Q05A company is hosting a web application on Amazon EC2 instances. The application connects to an Am...Medium

View all 65 questions →