A company with AWS Organizations enabled uses Amazon EC2 in the ap-southeast-2 Region, restricted by an SCP from creating resources in other Regions. A security policy mandates data at rest encryption. An audit found unencrypted Amazon EBS volumes for EC2. The company seeks a solution to ensure all new EC2 instances in ap-southeast-2 use encrypted EBS, with minimal disruption to employees creating EBS volumes. Which two-step solution meets these criteria?

Exam-Like

Set a default encryption key for EBS volumes in the Amazon EC2 console.

33.3%

Create an IAM permission boundary attached to the root OU, denying ec2:CreateVolume when ec2:Encrypted is false.

12.5%

Create an SCP attached to the root OU, denying ec2:CreateVolume when ec2:Encrypted is false.

12.5%

Update IAM policies to deny ec2:CreateVolume when ec2:Encrypted is false for each account.

8.3%

Specify Default EBS volume encryption in the Organizations management account.

33.3%

AWS Certified Solutions Architect - Associate