AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company needs a solution to enforce data encryption at rest on Amazon EC2 instances. The solution must automatically identify noncompliant resources and enforce compliance policies on findings.

Which solution will meet these requirements with the LEAST administrative overhead?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Use an IAM policy that allows users to create only encrypted Amazon Elastic Block Store (Amazon EBS) volumes. Use AWS Config and AWS Systems Manager to automate the detection and remediation of unencrypted EBS volumes.

Use AWS Key Management Service (AWS KMS) to manage access to encrypted Amazon Elastic Block Store (Amazon EBS) volumes. Use AWS Lambda and Amazon EventBridge to automate the detection and remediation of unencrypted EBS volumes.

Use Amazon Macie to detect unencrypted Amazon Elastic Block Store (Amazon EBS) volumes. Use AWS Systems Manager Automation rules to automatically encrypt existing and new EBS volumes.

Use Amazon Inspector to detect unencrypted Amazon Elastic Block Store (Amazon EBS) volumes. Use AWS Systems Manager Automation rules to automatically encrypt existing and new EBS volumes.

Explanation:

Explanation

Correct Answer: A

Why Option A is correct:

IAM Policy for Prevention: The IAM policy prevents users from creating unencrypted EBS volumes in the first place, which is a proactive approach to compliance.
AWS Config for Detection: AWS Config is specifically designed for compliance monitoring and can automatically detect noncompliant resources (unencrypted EBS volumes) using managed rules.
AWS Systems Manager for Remediation: AWS Systems Manager Automation can be triggered by AWS Config findings to automatically remediate unencrypted volumes by encrypting them.
Least Administrative Overhead: This solution uses managed AWS services (AWS Config and Systems Manager) that are purpose-built for compliance monitoring and remediation, requiring minimal custom code and maintenance.

Why other options are incorrect:

Option B: While AWS KMS is essential for encryption, using Lambda and EventBridge requires more custom code and maintenance compared to the managed services approach in Option A.

Option C: Amazon Macie is designed for data security and data privacy, specifically for discovering and protecting sensitive data (like PII). It's not the primary tool for detecting unencrypted EBS volumes, and using it for this purpose would be inefficient and more complex.

Option D: Amazon Inspector is designed for security vulnerability assessment, not for compliance monitoring of encryption at rest. It's not the appropriate tool for this specific requirement.

Key AWS Services Involved:

IAM Policies: Prevent creation of noncompliant resources
AWS Config: Continuous compliance monitoring with managed rules
AWS Systems Manager Automation: Automated remediation workflows
AWS KMS: Encryption key management (implied in the encryption process)

This solution provides a comprehensive approach that prevents, detects, and remediates noncompliant resources with minimal administrative overhead.

Powered ByGPT-5.2

Comments

Loading comments...