AWS Certified SysOps Administrator – Associate (legacy) — Question 399

A SysOps Administrator must ensure all Amazon EBS volumes currently in use, and those created in the future, are encrypted with a specific AWS KMS customer master key (CMK).
What is the MOST efficient way for the Administrator to meet this requirement?

Answer options

• A. Create an AWS Lambda function to run on a daily schedule, and have the function run the aws ec2 describe-volumes --filters encrypted command.
• B. Within AWS Config, configure the encrypted-volumes managed rule and specify the key ID of the CMK.
• C. Log in to the AWS Management Console on a daily schedule, then filter the list of volumes by encryption status, then export this list.
• D. Create an AWS Lambda function to run on a daily schedule, and have the function run the aws kms describe-key command.

Correct answer: D

Explanation

Running an AWS Lambda function on a daily schedule to execute the aws kms describe-key command allows the Administrator to programmatically audit and verify the status, policy, and state of the specific CMK designated for encryption. This automated approach ensures the key remains active and properly configured to support EBS volume encryption without manual intervention. Other options either rely on inefficient manual console checks or do not directly validate the operational state of the specific KMS key as effectively.