A company uses AWS Organizations with all features enabled and runs multiple Amazon EC2 w…

Question

A company uses AWS Organizations with all features enabled and runs multiple Amazon EC2 workloads in the ap-southeast-2 Region. The company has a service control policy (SCP) that prevents any resources from being created in any other Region. A security policy requires the company to encrypt all data at rest. An audit discovers that employees have created Amazon Elastic Block Store (Amazon EBS) volumes for EC2 instances without encrypting the volumes. The company wants any new EC2 instances that any IAM user or root user launches in ap-southeast-2 to use encrypted EBS volumes. The company wants a solution that will have minimal effect on employees who create EBS volumes. Which combination of steps will meet these requirements? (Choose two.)

Accepted Answer

Correct answer: C, E. C. Create an SCP. Attach the SCP to the root organizational unit (OU). Define the SCP to deny the ec2:CreateVolume action whenthe ec2:Encrypted condition equals false. — E. In the Organizations management account, specify the Default EBS volume encryption setting. — The correct answers are C and E because creating an SCP (C) ensures that any attempt to create unencrypted EBS volumes is denied, aligning with the security policy. Additionally, specifying the Default EBS volume encryption setting (E) automatically encrypts new volumes, minimizing the impact on employees. Options A and B do not directly enforce encryption at the organizational level, and D would require more granular IAM policy changes that could disrupt operations.

AWS Certified Solutions Architect – Associate (SAA-C03) — Question 411

Answer options

Correct answer: C, E

Explanation