A company utilizes AWS Organizations for managing multiple AWS accounts. To adhere to information security policies, it is mandatory to identify and flag all unencrypted Amazon EBS volumes as non-compliant. A DevOps engineer is tasked with implementing an automated solution to ensure this compliance check is consistently enforced across all accounts. Which of the following solutions would effectively achieve this objective?

Exam-Like

Develop an AWS CloudFormation template that incorporates an AWS Inspector rule to verify the encryption status of EBS volumes. Store this template in an Amazon S3 bucket accessible to all company accounts. Modify the account creation script to reference the CloudFormation template in the S3 bucket.

9.1%

Establish an AWS Config organizational rule to monitor whether EBS volumes are encrypted. Deploy this rule via the AWS CLI. Additionally, create and enforce a Service Control Policy (SCP) to prevent the disabling or removal of AWS Config within the organization.

45.5%

Set up a Service Control Policy (SCP) within AWS Organizations to block the initiation of Amazon EC2 instances with unencrypted EBS volumes. Apply this policy across all AWS accounts. Utilize Amazon Athena to scrutinize AWS CloudTrail logs for events that indicate a denial of the ec2:RunInstances action due to encryption requirements.

27.3%

Distribute an IAM role to all accounts from a central trusted account. Construct a pipeline using AWS CodePipeline that includes an AWS Lambda stage to assume the IAM role and enumerate all EBS volumes in each account. Generate a compliance report and store it in an Amazon S3 bucket.

18.2%

AWS Certified DevOps Engineer - Professional

Get started today

Comments