AWS Certified Solutions Architect – Associate (SAA-C02) — Question 776

A company needs to create an Amazon Elastic Kubernetes Service (Amazon EKS) cluster to host a digital media streaming application. The EKS cluster will use a managed node group that is backed by Amazon Elastic Block Store (Amazon EBS) volumes for storage. The company must encrypt all data at rest by using a customer managed key that is stored in AWS Key Management Service (AWS KMS).
Which combination of actions will meet this requirement with the LEAST operational overhead? (Choose two.)

Answer options

• A. Use a Kubernetes plugin that uses the customer managed key to perform data encryption.
• B. After creation of the EKS cluster, locate the EBS volumes. Enable encryption by using the customer managed key.
• C. Enable EBS encryption by default in the AWS Region where the EKS cluster will be created. Select the customer managed key as the default key.
• D. Create the EKS cluster. Create an IAM role that has a policy that grants permission to the customer managed key. Associate the role with the EKS cluster.
• E. Store the customer managed key as a Kubernetes secret in the EKS cluster. Use the customer managed key to encrypt the EBS volumes.

Correct answer: C, D

Explanation

Enabling EBS encryption by default in the target AWS Region ensures that all newly created EBS volumes, including those provisioned for EKS managed node groups, are automatically encrypted using the specified customer managed key. To allow the EKS service to access and use this customer managed key, an IAM role with the appropriate KMS permissions must be created and associated with the cluster. Other options either involve high operational overhead, such as manually encrypting volumes post-creation, or are architecturally incorrect, such as storing KMS keys as Kubernetes secrets.