AWS Certified SysOps Administrator – Associate (legacy) — Question 674

An Amazon EC2 instance has a secondary Amazon Elastic Block Store (EBS) volume attached that contains sensitive data. A new company policy requires the secondary volume to be encrypted at rest.
Which solution will meet this requirement?

Answer options

• A. Create a snapshot of the volume. Create a new volume from the snapshot with the Encrypted parameter set to true. Detach the original volume and attach the new volume to the instance.
• B. Create an encrypted Amazon Machine Image (AMI) of the EC2 instance. Launch a new instance with the encrypted AMI. Terminate the original instance.
• C. Stop the EC2 instance. Encrypt the volume with AWS CloudHSM. Start the instance and verify encryption.
• D. Stop the EC2 instance. Modify the instance properties and set the Encrypted parameter to true. Start the instance and verify encryption.

Correct answer: A

Explanation

Amazon EBS does not support direct in-place encryption of an existing unencrypted volume. The standard workflow is to snapshot the unencrypted volume and then create a new, encrypted volume from that snapshot, which can then be swapped in. Modifying instance properties or using AWS CloudHSM directly on the volume are not valid methods for enabling EBS encryption.