AWS Certified Solutions Architect – Associate (SAA-C03) — Question 862

A company plans to rehost an application to Amazon EC2 instances that use Amazon Elastic Block Store (Amazon EBS) as the attached storage.

A solutions architect must design a solution to ensure that all newly created Amazon EBS volumes are encrypted by default. The solution must also prevent the creation of unencrypted EBS volumes.

Which solution will meet these requirements?

Answer options

• A. Configure the EC2 account attributes to always encrypt new EBS volumes.
• B. Use AWS Config. Configure the encrypted-volumes identifier. Apply the default AWS Key Management Service (AWS KMS) key.
• C. Configure AWS Systems Manager to create encrypted copies of the EBS volumes. Reconfigure the EC2 instances to use the encrypted volumes.
• D. Create a customer managed key in AWS Key Management Service (AWS KMS). Configure AWS Migration Hub to use the key when the company migrates workloads.

Correct answer: A

Explanation

Enabling EBS encryption by default is a region-specific EC2 account attribute that automatically ensures all newly created EBS volumes are encrypted, successfully preventing the creation of unencrypted volumes. AWS Config can monitor and alert on unencrypted volumes but does not natively prevent their creation. AWS Systems Manager and AWS Migration Hub do not offer built-in, account-wide enforcement for default EBS volume encryption.