AWS Certified Security – Specialty — Question 69

Example.com hosts its internal document repository on Amazon EC2 instances. The application runs on EC2 instances and previously stored the documents on encrypted Amazon EBS volumes. To optimize the application for scale, example.com has moved the files to Amazon S3. The security team has mandated that all the files are securely deleted from the EBS volume, and it must certify that the data is unreadable before releasing the underlying disks.
Which of the following methods will ensure that the data is unreadable by anyone else?

Answer options

• A. Change the volume encryption on the EBS volume to use a different encryption mechanism. Then, release the EBS volumes back to AWS.
• B. Release the volumes back to AWS. AWS immediately wipes the disk after it is deprovisioned.
• C. Delete the encryption key used to encrypt the EBS volume. Then, release the EBS volumes back to AWS.
• D. Delete the data by using the operating system delete commands. Run Quick Format on the drive and then release the EBS volumes back to AWS.

Correct answer: C

Explanation

The correct answer is C because deleting the encryption key makes the encrypted data unreadable and ensures that no one can access it afterward. Options A and D do not securely erase the data; they only change the encryption or format the drive, which can still allow data recovery. Option B is misleading as AWS does not wipe the disk until the encryption key is deleted or the volume is completely decommissioned.