An enterprise has a strict compliance requirement that all Amazon EBS volumes must be encrypted. They want to ensure that no unencrypted EBS volumes can be created in their AWS accounts, even by administrators. What is the MOST robust way to enforce this?

Answer options:

Create an IAM policy that denies the ec2:CreateVolume action if the Encrypted flag is false, and attach it to all users.

Use AWS Config to detect unencrypted volumes and trigger a Lambda function to encrypt them.

Enable 'EBS Encryption by Default' at the account level in all regions.

Create an SCP that denies the ec2:RunInstances action.

How to approach this question

Look for the native, foolproof account-level setting.

Full Answer

C.Enable 'EBS Encryption by Default' at the account level in all regions.✓ Correct

AWS provides a native account-level setting called 'EBS Encryption by Default'. When enabled, it ensures that all new EBS volumes created in the account/region are encrypted, fulfilling strict compliance requirements preventatively.

Common mistakes

Relying on IAM policies, which are complex to manage and can have gaps.

Question 28 All questions Question 30

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 7

75 questions · hints · full answers · grading

More questions from this exam

Q01A global enterprise is designing a multi-region network architecture connecting 50 AWS accounts a...Hard Q02A company is migrating its hybrid network to AWS. They have two 10 Gbps AWS Direct Connect connec...Hard Q03An enterprise has 100 AWS accounts in AWS Organizations. The security team mandates that all Amaz...Medium Q04A financial company requires that all EBS volumes, S3 buckets, and RDS databases be encrypted usi...Easy Q05An enterprise is designing a disaster recovery strategy for a critical application running on Ama...Hard

View all 75 questions →