AWS Certified Solutions Architect – Professional (SAP-C02) — Question 312

A company's compliance audit reveals that some Amazon Elastic Block Store (Amazon EBS) volumes that were created in an AWS account were not encrypted. A solutions architect must implement a solution to encrypt all new EBS volumes at rest.

Which solution will meet this requirement with the LEAST effort?

Answer options

• A. Create an Amazon EventBridge rule to detect the creation of unencrypted EBS volumes. Invoke an AWS Lambda function to delete noncompliant volumes.
• B. Use AWS Audit Manager with data encryption.
• C. Create an AWS Config rule to detect the creation of a new EBS volume. Encrypt the volume by using AWS Systems Manager Automation.
• D. Turn on EBS encryption by default in all AWS Regions.

Correct answer: D

Explanation

Enabling EBS encryption by default is a simple, built-in AWS feature that automatically ensures all newly created EBS volumes are encrypted without needing custom code or complex remediation workflows. While AWS Config and Amazon EventBridge (options A and C) can be used to detect and remediate unencrypted volumes, they require substantial effort to configure and maintain. AWS Audit Manager (option B) is a compliance assessment tool and does not provide active enforcement of volume encryption.