Answer-first summary for fast verification
Answer: Create the EBS volumes as encrypted volumes. Attach the EBS volumes to the EC2 instances.
## Explanation **Correct Answer: B** - Create the EBS volumes as encrypted volumes. Attach the EBS volumes to the EC2 instances. ### Why Option B is Correct: 1. **EBS Encryption at Rest**: The most direct and effective way to ensure data written to EBS volumes is encrypted at rest is to create the EBS volumes as encrypted volumes from the start. 2. **Native EBS Encryption**: Amazon EBS provides native encryption capabilities. When you create an encrypted EBS volume, all data stored on the volume, disk I/O, and snapshots created from the volume are encrypted. 3. **Automatic Encryption**: Data is encrypted before it leaves the EC2 instance and decrypted after it arrives at the EBS volume, providing transparent encryption without requiring application changes. 4. **KMS Integration**: EBS encryption uses AWS Key Management Service (AWS KMS) keys, but the encryption is handled automatically when you create the volume as encrypted. ### Why Other Options are Incorrect: **A. Create an IAM role that specifies EBS encryption. Attach the role to the EC2 instances.** - IAM roles control permissions but don't automatically encrypt EBS volumes. While IAM roles can grant permissions to use KMS keys for encryption, they don't enforce or enable encryption by themselves. **C. Create an EC2 instance tag that has a key of Encrypt and a value of True. Tag all instances that require encryption at the EBS level.** - Tags are metadata for resource management and don't enforce encryption. AWS doesn't automatically encrypt EBS volumes based on instance tags. **D. Create an AWS Key Management Service (AWS KMS) key policy that enforces EBS encryption in the account. Ensure that the key policy is active.** - While KMS key policies control access to encryption keys, they don't automatically encrypt EBS volumes. You still need to explicitly create encrypted volumes or enable encryption settings. ### Best Practices: 1. Always create EBS volumes as encrypted volumes when data protection is required. 2. Use AWS KMS customer-managed keys (CMKs) for greater control over encryption keys. 3. Enable default EBS encryption at the account level to ensure all new EBS volumes are encrypted automatically. 4. Remember that encryption of EBS volumes cannot be enabled after volume creation (except through snapshot copy process).
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company is deploying a new application on Amazon EC2 instances. The application writes data to Amazon Elastic Block Store (Amazon EBS) volumes. The company needs to ensure that all data that is written to the EBS volumes is encrypted at rest.
Which solution will meet this requirement?
A
Create an IAM role that specifies EBS encryption. Attach the role to the EC2 instances.
B
Create the EBS volumes as encrypted volumes. Attach the EBS volumes to the EC2 instances.
C
Create an EC2 instance tag that has a key of Encrypt and a value of True. Tag all instances that require encryption at the EBS level.
D
Create an AWS Key Management Service (AWS KMS) key policy that enforces EBS encryption in the account. Ensure that the key policy is active.