AWS Certified Security – Specialty — Question 398

A company is designing a new application stack. The design includes web servers and backend servers that are hosted on Amazon EC2 instances. The design also includes an Amazon Aurora MySQL DB cluster.

The EC2 instances are in an Auto Scaling group that uses launch templates. The EC2 instances for the web layer and the backend layer are backed by Amazon Elastic Block Store (Amazon EBS) volumes. No layers are encrypted at rest. A security engineer needs to implement encryption at rest.

Which combination of steps will meet these requirements? (Choose two.)

Answer options

• A. Modify EBS default encryption setting in the target AWS Region to enable encryption. Use an Auto Scaling group instance refresh.
• B. Modify the launch templates for the web layer and the backend layer to add AWS Certificate Manager (ACM) encryption for the attached EBS volumes. Use an Auto Scaling group instance refresh.
• C. Create a new AWS Key Management Service (AWS KMS) encrypted DB cluster from a snapshot of the existing DB cluster.
• D. Apply AWS Key Management Service (AWS KMS) encryption to the existing DB cluster.
• E. Apply AWS Certificate Manager (ACM) encryption to the existing DB cluster.

Correct answer: A, C

Explanation

Enabling default EBS encryption in the AWS Region ensures that any new EBS volumes launched via the Auto Scaling group will automatically be encrypted at rest, and an instance refresh replaces the existing unencrypted instances with encrypted ones. For the Aurora DB cluster, encryption at rest cannot be enabled on an existing unencrypted database; instead, you must take a snapshot of the unencrypted cluster and restore it as a new, encrypted DB cluster using AWS KMS. AWS Certificate Manager (ACM) is used for managing SSL/TLS certificates and is not applicable to storage encryption at rest.