AWS Certified Solutions Architect – Associate (SAA-C03) — Question 643

A company needs a solution to enforce data encryption at rest on Amazon EC2 instances. The solution must automatically identify noncompliant resources and enforce compliance policies on findings.

Which solution will meet these requirements with the LEAST administrative overhead?

Answer options

• A. Use an IAM policy that allows users to create only encrypted Amazon Elastic Block Store (Amazon EBS) volumes. Use AWS Config and AWS Systems Manager to automate the detection and remediation of unencrypted EBS volumes.
• B. Use AWS Key Management Service (AWS KMS) to manage access to encrypted Amazon Elastic Block Store (Amazon EBS) volumes. Use AWS Lambda and Amazon EventBridge to automate the detection and remediation of unencrypted EBS volumes.
• C. Use Amazon Macie to detect unencrypted Amazon Elastic Block Store (Amazon EBS) volumes. Use AWS Systems Manager Automation rules to automatically encrypt existing and new EBS volumes.
• D. Use Amazon inspector to detect unencrypted Amazon Elastic Block Store (Amazon EBS) volumes. Use AWS Systems Manager Automation rules to automatically encrypt existing and new EBS volumes.

Correct answer: A

Explanation

AWS Config is the native service designed to track resource configurations and evaluate them against compliance rules, allowing direct integration with AWS Systems Manager for automated remediation with minimal setup. Option B requires writing and maintaining custom AWS Lambda code, which increases administrative overhead. Options C and D are incorrect because Amazon Macie is used for sensitive data discovery in S3, and Amazon Inspector is used for software vulnerability scanning, meaning neither is designed to audit EBS encryption compliance.