A company requires that all EBS volumes attached to new EC2 instances must be encrypted. How can a solutions architect ensure this requirement is met with the LEAST operational overhead? (Select TWO.)

Answer options:

Create an IAM policy that denies the ec2:RunInstances action if the volume is not encrypted.

Enable EBS encryption by default in the EC2 console for the AWS Region.

Use an AWS KMS Customer Managed Key (CMK) or the AWS managed key for EBS.

Write a Lambda function triggered by CloudTrail to encrypt unencrypted volumes after creation.

Use AWS Config to automatically terminate instances with unencrypted volumes.

How to approach this question

Look for the 'EBS encryption by default' feature, which is the easiest way to enforce this.

Full Answer

Enable EBS encryption by default in the EC2 console for the AWS Region., Use an AWS KMS Customer Managed Key (CMK) or the AWS managed key for EBS.

You can enable EBS encryption by default for your AWS account in a specific Region. This ensures all new volumes are encrypted using a specified KMS key.

Common mistakes

Choosing complex IAM policies or Lambda functions when a simple regional toggle exists.

Question 17 All questions Question 19

Practice the full AWS SAA-C03 Practice Exam 7

65 questions · hints · full answers · grading

More questions from this exam

Q01A company has multiple AWS accounts in an AWS Organizations organization. The security team needs...Medium Q02An application runs on Amazon EC2 instances and needs to access an Amazon S3 bucket. What is the ...Easy Q03A company wants to implement federated access to the AWS Management Console for its employees usi...Medium Q04A company is building a mobile application that requires users to sign in using their social medi...Easy Q05A security team wants to enforce MFA for all IAM users before they can terminate EC2 instances. H...Medium

View all 65 questions →