AWS Certified Security – Specialty — Question 319
A security audit reveals that several Amazon Elastic Block Store (Amazon EBS) volumes in a company's production account are not encrypted. The unencrypted EBS volumes are attached to Amazon EC2 instances that are provisioned with an Auto Scaling group and a launch template.
A security engineer must implement a solution to ensure that all EBS volumes are encrypted now and in the future.
Which solution will meet these requirements?
Answer options
- A. Update the launch template by setting the Encrypted flag for all EBS volumes to true, Use the Auto Scaling group's instance refresh feature to replace existing instances with new instances.
- B. Create a new launch template from the old launch template. Set the Encrypted flag for all EBS volumes to true. Update the Auto Scaling group to use the new version of the launch template. Wait for the Auto Scaling group to replace all the old instances that have unencrypted EBS volumes.
- C. Use the Amazon EC2 console to enable encryption of new EBS volumes by default for each AWS Region that the company uses. Use the Auto Scaling group's instance refresh feature to replace existing instances with new instances.
- D. Use the Amazon EC2 console to enable encryption of new EBS volumes by default for each AWS Region that the company uses. Update this setting so that Auto Scaling groups will automatically replace existing instances with new instances.
Correct answer: C
Explanation
Enabling EBS encryption by default at the AWS Region level ensures that all newly created EBS volumes are automatically encrypted, satisfying future requirements without needing to modify individual launch templates. To address existing unencrypted volumes, initiating an instance refresh within the Auto Scaling group will systematically replace the running EC2 instances with new ones that will have encrypted volumes by default. Option D is incorrect because enabling encryption by default does not automatically trigger Auto Scaling groups to replace running instances.