AWS Certified Solutions Architect – Professional — Question 716

A company's compliance audit reveals that some Amazon Elastic Block Store (Amazon EBS) volumes that were created in an AWS account were not encrypted.
A solutions architect must implement a solution to encrypt all new EBS volumes at rest.
Which solution will meet this requirement with the LEAST effort?

Answer options

• A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to detect the creation of unencrypted EBS volumes. Invoke an AWS Lambda function to delete noncompliant volumes.
• B. Use AWS Audit Manager with data encryption.
• C. Create an AWS Config rule to detect the creation of a new EBS volume. Encrypt the volume by using AWS Systems Manager Automation.
• D. Turn on EBS encryption by default in all AWS Regions.

Correct answer: D

Explanation

Enabling EBS encryption by default is a simple, regional setting that automatically encrypts all newly created EBS volumes and snapshot copies with no additional custom automation or scripting, representing the lowest operational effort. Other solutions, such as using AWS Config or EventBridge with Lambda, introduce unnecessary configuration complexity and only react after a volume has already been created. AWS Audit Manager is designed for auditing and compliance tracking, not for enforcing or automating technical resource encryption.