AWS Certified Security – Specialty — Question 119

Auditors for a health care company have mandated that all data volumes be encrypted at rest. Infrastructure is deployed mainly via AWS CloudFormation; however, third-party frameworks and manual deployment are required on some legacy systems.
What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

Answer options

• A. On a recurring basis, update all IAM user policies to require that EC2 instances are created with an encrypted volume.
• B. Configure an AWS Config rule to run on a recurring basis for volume encryption.
• C. Set up Amazon Inspector rules for volume encryption to run on a recurring schedule.
• D. Use CloudWatch Logs to determine whether instances were created with an encrypted volume.

Correct answer: B

Explanation

The correct answer is B because AWS Config can evaluate the encryption status of EBS volumes and alert you to any non-compliance. Option A does not provide direct monitoring of volume encryption status, while C focuses on Amazon Inspector, which is not primarily intended for this purpose. D relies on logs rather than proactive monitoring, making it less effective for ongoing compliance checks.