AWS Certified Solutions Architect – Associate (SAA-C03) — Question 363

A company needs to create an Amazon Elastic Kubernetes Service (Amazon EKS) cluster to host a digital media streaming application. The EKS cluster will use a managed node group that is backed by Amazon Elastic Block Store (Amazon EBS) volumes for storage. The company must encrypt all data at rest by using a customer managed key that is stored in AWS Key Management Service (AWS KMS).

Which combination of actions will meet this requirement with the LEAST operational overhead? (Choose two.)

Answer options

• A. Use a Kubernetes plugin that uses the customer managed key to perform data encryption.
• B. After creation of the EKS cluster, locate the EBS volumes. Enable encryption by using the customer managed key.
• C. Enable EBS encryption by default in the AWS Region where the EKS cluster will be created. Select the customer managed key as the default key.
• D. Create the EKS cluster. Create an IAM role that has a policy that grants permission to the customer managed key. Associate the role with the EKS cluster.
• E. Store the customer managed key as a Kubernetes secret in the EKS cluster. Use the customer managed key to encrypt the EBS volumes.

Correct answer: C, D

Explanation

Enabling EBS encryption by default in the destination AWS Region (Option C) automatically ensures all newly provisioned EBS volumes for the EKS managed node group are encrypted using the specified customer managed key. To grant the EKS cluster permission to use this KMS key, an IAM role with the correct key policies must be created and linked to the cluster (Option D). Other options like manual post-creation encryption or managing encryption keys via Kubernetes plugins/secrets introduce significant operational overhead and complexity.