AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company uses AWS Organizations with all features enabled and runs multiple Amazon EC2 workloads in the ap-southeast-2 Region. The company has a service control policy (SCP) that prevents any resources from being created in any other Region. A security policy requires the company to encrypt all data at rest.
An audit discovers that employees have created Amazon Elastic Block Store (Amazon EBS) volumes for EC2 instances without encrypting the volumes. The company wants any new EC2 instances that any IAM user or root user launches in ap-southeast-2 to use encrypted EBS volumes. The company wants a solution that will have minimal effect on employees who create EBS volumes.
Which combination of steps will meet these requirements? (Choose two.)
Other
Community
UAnonymous
A
In the Amazon EC2 console, select the EBS encryption account attribute and define a default encryption key.
B
Create an IAM permission boundary. Attach the permission boundary to the root organizational unit (OU). Define the boundary to deny the ec2:CreateVolume action when the ec2:Encrypted condition equals false.
C
Create an SCP. Attach the SCP to the root organizational unit (OU). Define the SCP to deny the ec2:CreateVolume action when the ec2:Encrypted condition equals false.
D
Update the IAM policies for each account to deny the ec2:CreateVolume action when the ec2:Encrypted condition equals false.
E
In the Organizations management account, specify the Default EBS volume encryption setting.
Explanation:
Explanation
Correct Answers: A and E
Why A is correct:
Setting the EBS encryption account attribute in the Amazon EC2 console with a default encryption key ensures that all new EBS volumes created in that account are automatically encrypted using the specified key. This is a proactive, account-level setting that automatically encrypts volumes without requiring users to explicitly specify encryption during creation.
Why E is correct:
In the AWS Organizations management account, specifying the Default EBS volume encryption setting at the organization level applies this setting to all member accounts. This provides centralized control and ensures consistent encryption enforcement across all accounts in the organization.
Why the other options are incorrect:
B (IAM permission boundary attached to root OU): IAM permission boundaries cannot be attached to organizational units (OUs). Permission boundaries are attached to IAM users or roles, not OUs. Additionally, permission boundaries are used to set the maximum permissions that an IAM entity can have, not to enforce security policies across accounts.
C (SCP attached to root OU): While SCPs can be attached to OUs, using an SCP to deny unencrypted volume creation would have a significant effect on employees. It would block all attempts to create unencrypted volumes, potentially disrupting workflows. The requirement asks for minimal effect on employees, and SCPs are more restrictive than the proactive encryption approaches in A and E.
D (Update IAM policies for each account): This would require manual updates to every account's IAM policies, which is not scalable and violates the requirement for minimal effect on employees. It would also be difficult to maintain consistently across all accounts.
Key Points:
- AWS Organizations Default EBS Encryption (Option E) provides organization-wide enforcement
- Account-level EBS encryption setting (Option A) works in conjunction with the organization setting
- The combination ensures that all new EBS volumes are automatically encrypted without requiring user intervention
- This approach meets the requirement of "minimal effect on employees" as encryption happens transparently
- Both methods work together to provide defense-in-depth encryption enforcement
Comments
Loading comments...