Q: 6
A company has multiple AWS accounts. The company recently had a security audit that revealed
many unencrypted Amazon Elastic Block Store (Amazon EBS) volumes attached to Amazon EC2
instances.
A solutions architect must encrypt the unencrypted volumes and ensure that unencrypted volumes
will be detected automatically in the future. Additionally, the company wants a solution that can
centrally manage multiple AWS accounts with a focus on compliance and security.
Which combination of steps should the solutions architect take to meet these requirements?
(Choose two.)
Options
Discussion
C or A. C is the AWS-recommended way to encrypt existing EBS, but A uses strongly recommended guardrails for ongoing compliance-D only has mandatory guardrails, which is a common trap. I think A and C fit best, but happy to hear other perspectives.
Makes sense to pick A and C here. Control Tower with strongly recommended guardrails (A) makes sure ongoing EBS encryption compliance is managed across accounts, and C follows the proper method to remediate current unencrypted EBS. Saw similar logic in official AWS study material, but open to other takes if I missed something.
A and C tbh. A uses Control Tower's strong guardrails for compliance and detects unencrypted EBS going forward, while C is the proper AWS method to remediate current volumes. D is tricky but doesn't include that detective control, easy trap.
H: ad something like this in a mock, picked A and C. Control Tower with the strongly recommended guardrails (A) actually covers detection for future EBS compliance, not just the mandatory ones. C is the only option that properly encrypts existing volumes. Pretty sure that's what AWS expects.
Why not D instead of A? Are the mandatory guardrails not enough for EBS compliance?
A and C imo. A sets up Control Tower with org-wide guardrails which will catch future unencrypted EBS, while C is the actual process to swap out existing unencrypted volumes. Only this combo covers both sides.
Be respectful. No spam.
