A company wants to ensure that all Amazon EBS volumes created in its AWS account are encrypted by default. <br/><br/>How can a solutions architect achieve this with the LEAST operational overhead?

Create an AWS Config rule to evaluate EBS volumes and trigger an AWS Lambda function to encrypt unencrypted volumes.

Enable the 'EBS Encryption by Default' feature in the EC2 console for the specific AWS Region.

Use an IAM policy with a condition that denies the ec2:CreateVolume action if the Encrypted flag is false.

Create an AWS CloudTrail trail to monitor volume creation and alert administrators to manually encrypt them.