AWS Certified Security – Specialty (SCS-C02) — Question 119

A company is designing a new application stack. The design includes web servers and backend servers that are hosted on Amazon EC2 instances. The design also includes an Amazon Aurora MySQL DB cluster.

The EC2 instances are in an Auto Scaling group that uses launch templates. The EC2 instances for the web layer and the backend layer are backed by Amazon Elastic Block Store (Amazon EBS) volumes. No layers are encrypted at rest A security engineer needs to implement encryption at rest.

Which combination of steps will meet these requirements? (Choose two.)

Answer options

• A. Modify EBS default encryption settings in the target AWS Region to enable encryption. Use an Auto Scaling group instance refresh.
• B. Modify the launch templates for the web layer and the backend layer to add AWS Certificate Manager (ACM) encryption for the attached EBS volumes. Use an Auto Scaling group instance refresh.
• C. Create a new AWS Key Management Service (AWS KMS) encrypted DB cluster from a snapshot of the existing DB cluster.
• D. Apply AWS Key Management Service (AWS KMS) encryption to the existing DB cluster.
• E. Apply AWS Certificate Manager (ACM) encryption to the existing DB cluster.

Correct answer: A, C

Explanation

Option A is correct because modifying the default EBS encryption settings ensures that all new EBS volumes created will be encrypted, and using an instance refresh will update the Auto Scaling group with these new settings. Option C is also correct as creating a new AWS KMS encrypted DB cluster from a snapshot ensures that the database is encrypted at rest. The other options do not address encryption at rest for the EBS volumes or the DB cluster adequately or do not apply encryption methods correctly.