Q: 6
A company has multiple AWS accounts. The company recently had a security audit that revealed
many unencrypted Amazon Elastic Block Store (Amazon EBS) volumes attached to Amazon EC2
instances.
A solutions architect must encrypt the unencrypted volumes and ensure that unencrypted volumes
will be detected automatically in the future. Additionally, the company wants a solution that can
centrally manage multiple AWS accounts with a focus on compliance and security.
Which combination of steps should the solutions architect take to meet these requirements?
(Choose two.)
Options
Discussion
A and C work. A deals with the central control, especially with those strongly recommended guardrails which actually spot unencrypted EBS. C's the supported method for encrypting existing volumes using snapshot and replacement. Pretty sure that's what AWS wants here.
C or A. C is the AWS-recommended way to encrypt existing EBS, but A uses strongly recommended guardrails for ongoing compliance-D only has mandatory guardrails, which is a common trap. I think A and C fit best, but happy to hear other perspectives.
Makes sense to pick A and C here. Control Tower with strongly recommended guardrails (A) makes sure ongoing EBS encryption compliance is managed across accounts, and C follows the proper method to remediate current unencrypted EBS. Saw similar logic in official AWS study material, but open to other takes if I missed something.
Call it A and C here. Strongly recommended guardrails in Control Tower (A) actually detect unencrypted EBS, mandatory (D) doesn't cover that. B looks easy but isn't full remediation per AWS standards. Anyone see a reason D would apply?
Had something like this in a mock. It's A and C. A covers multi-account governance and actually detects unencrypted EBS with Control Tower's strongly recommended guardrails. C is the supported method for remediating existing unencrypted volumes (snapshot, encrypt, attach). Pretty confident, unless AWS changed what each guardrail tier does.
A imo. The strongly recommended guardrails in Control Tower are the only ones that actually detect unencrypted EBS, mandatory doesn't cover that. For fixing the existing volumes, C's snapshot and replace is pretty much AWS standard. Saw a similar question on a practice exam and this combo was marked right. Open to other takes if something's changed.
Yeah, it's A and C here. Only the strongly recommended guardrails in Control Tower (A) provide the detective control for unencrypted EBS volumes, mandatory ones (D) don't. For fixing what's already unencrypted, C's snapshot and replace approach is the AWS-supported way. B is a tempting shortcut but isn't the right remediation per AWS docs. Pretty sure on this, unless Control Tower changes their guardrails.
C or D? D looks tempting since it talks about mandatory guardrails, but those don't catch unencrypted EBS volumes-only the strongly recommended ones in A do that. So even though both mention Control Tower and OUs, only A covers the ongoing detective control part. Pretty sure that's why C and A together are right. Disagree?
A and C tbh. A uses Control Tower's strong guardrails for compliance and detects unencrypted EBS going forward, while C is the proper AWS method to remediate current volumes. D is tricky but doesn't include that detective control, easy trap.
H: ad something like this in a mock, picked A and C. Control Tower with the strongly recommended guardrails (A) actually covers detection for future EBS compliance, not just the mandatory ones. C is the only option that properly encrypts existing volumes. Pretty sure that's what AWS expects.
Be respectful. No spam.
