ExpertMinds LogoExpertMinds
Easy1 markMultiple Choice
Domain 1.2: Security ControlsSecurityEBSEncryptionCompliance

AWS SAP-C02 · Question 60 · Domain 1.2: Security Controls

An enterprise has a strict compliance requirement that all Amazon EBS volumes must be encrypted with a specific AWS KMS Customer Managed Key (CMK). They want to enforce this automatically so that if a developer forgets to specify the encryption key during instance launch, the volume is still encrypted with the correct CMK, and the launch does not fail. How can the Architect achieve this with the LEAST operational overhead?

Answer options:

A.

Enable 'EBS Encryption by Default' at the account level and select the specific KMS CMK as the default key.

B.

Create an AWS Config rule to detect unencrypted volumes and trigger an SSM Automation document to encrypt them.

C.

Use a Service Control Policy (SCP) to deny the 'ec2:CreateVolume' action if the 's3:x-amz-server-side-encryption' condition is not met.

D.

Create an AWS Lambda function triggered by CloudTrail 'RunInstances' events to modify the volume encryption on the fly.

How to approach this question

Identify the native EC2 feature that automatically encrypts volumes without breaking provisioning workflows.

Full Answer

A.Enable 'EBS Encryption by Default' at the account level and select the specific KMS CMK as the default key.✓ Correct
Enable 'EBS Encryption by Default' at the account level and select the specific KMS CMK as the default key.
Amazon EC2 supports 'EBS Encryption by Default'. This is an account-and-region-specific setting. When you enable it and select a default KMS Customer Managed Key (CMK), AWS automatically encrypts all new EBS volumes and snapshot copies with that key. If a developer launches an instance without specifying encryption, AWS intercepts the request and encrypts the volume transparently, ensuring compliance without breaking the developer's workflow.

Common mistakes

Choosing SCPs, which would block the launch and frustrate developers.
59All questions61

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 5

75 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A global enterprise is redesigning its AWS network architecture across 50 AWS accounts and 3 AWS ...HardQ02A company uses AWS Organizations to manage multiple accounts. The security team mandates that no ...MediumQ03A financial institution requires a disaster recovery strategy for its critical trading applicatio...HardQ04An enterprise is setting up a new multi-account AWS environment using AWS Control Tower. They nee...MediumQ05A company has a complex AWS environment with hundreds of linked accounts under AWS Organizations....Hard
View all 75 questions →