ExpertHard1 markMultiple Choice
AWS SAP-C02 · Question 66 · Domain 1.2: Security Controls
A company is using AWS Control Tower. They want to ensure that all EBS volumes created in any member account are encrypted with a specific AWS KMS Customer Managed Key (CMK) owned by a central Security account. What is the MOST robust way to enforce this?
A company is using AWS Control Tower. They want to ensure that all EBS volumes created in any member account are encrypted with a specific AWS KMS Customer Managed Key (CMK) owned by a central Security account. What is the MOST robust way to enforce this?
Answer options:
A.
Use AWS Config to detect unencrypted volumes and remediate them.
B.
Create an SCP that denies ec2:CreateVolume if the ec2:Encrypted condition is false.
C.
Create an SCP that denies ec2:CreateVolume if the kms:EncryptionContext:aws:ebs:id condition does not match the central CMK ARN.
D.
Create an SCP that denies ec2:CreateVolume if the request does not specify the central CMK ARN.
How to approach this question
Use SCPs to proactively enforce specific parameters (like a KMS key ARN) during resource creation.
Full Answer
D.Create an SCP that denies ec2:CreateVolume if the request does not specify the central CMK ARN.✓ Correct
Create an SCP that denies ec2:CreateVolume if the s3:x-amz-server-side-encryption-aws-kms-key-id condition does not match the central CMK ARN.
Service Control Policies (SCPs) can enforce not just that encryption is used, but that a *specific* KMS key is used. By denying the ec2:CreateVolume action unless the request includes the ARN of the central CMK, compliance is mathematically guaranteed.
Common mistakes
Enforcing encryption generally, but forgetting to enforce the specific key.
Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 4
75 questions · hints · full answers · grading
More questions from this exam
Q01A global enterprise is redesigning its network architecture across 50 AWS accounts. They require ...HardQ02A financial services company uses AWS Organizations to manage 100+ accounts. The security team ma...MediumQ03An e-commerce company requires a multi-region active-active architecture for its critical order p...MediumQ04A company is setting up a new AWS environment using AWS Control Tower. They need to ensure that a...HardQ05An enterprise has 50 AWS accounts under AWS Organizations. They want to implement a chargeback mo...Medium