AWS SAP-C02 · Question 60 · Domain 1.2: Security Controls
An enterprise has a strict compliance requirement that all Amazon EBS volumes must be encrypted with a specific AWS KMS Customer Managed Key (CMK). They want to enforce this automatically so that if a developer forgets to specify the encryption key during instance launch, the volume is still encrypted with the correct CMK, and the launch does not fail. How can the Architect achieve this with the LEAST operational overhead?
Answer options:
Enable 'EBS Encryption by Default' at the account level and select the specific KMS CMK as the default key.
Create an AWS Config rule to detect unencrypted volumes and trigger an SSM Automation document to encrypt them.
Use a Service Control Policy (SCP) to deny the 'ec2:CreateVolume' action if the 's3:x-amz-server-side-encryption' condition is not met.
Create an AWS Lambda function triggered by CloudTrail 'RunInstances' events to modify the volume encryption on the fly.
75 questions · hints · full answers · grading
Expert