A company has multiple AWS accounts. The company recently had a security audit that revea…

Question

A company has multiple AWS accounts. The company recently had a security audit that revealed many unencrypted Amazon Elastic Block Store (Amazon EBS) volumes attached to Amazon EC2 instances.
A solutions architect must encrypt the unencrypted volumes and ensure that unencrypted volumes will be detected automatically in the future. Additionally, the company wants a solution that can centrally manage multiple AWS accounts with a focus on compliance and security.
Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

Accepted Answer

Correct answer: A, C. A. Create an organization in AWS Organizations. Set up AWS Control Tower, and turn on the strongly recommended guardrails. Join all accounts to the organization. Categorize the AWS accounts into OUs. — C. Create a snapshot of each unencrypted volume. Create a new encrypted volume from the unencrypted snapshot. Detach the existing volume, and replace it with the encrypted volume. — To encrypt an existing unencrypted Amazon EBS volume, you must take a snapshot of the volume, and then create a new encrypted volume from that snapshot (or copy the snapshot with encryption enabled first) before replacing the original unencrypted volume, as EBS volumes cannot be encrypted in-place. For multi-account compliance and automatic detection of unencrypted volumes, AWS Control Tower with the strongly recommended guardrail for detecting unencrypted EBS volumes is the correct approach. Mandatory guardrails do not include the specific check for unencrypted EBS volumes, making option A correct over option D.

AWS Certified Solutions Architect – Professional — Question 638

Answer options

Correct answer: A, C

Explanation