A company needs a solution to enforce data encryption at rest on Amazon EC2 instances. The solution must automatically identify noncompliant resources and enforce compliance policies on findings. Which solution will meet these requirements with the LEAST administrative overhead?
Choose an answer
Tap an option to check your answer.
Correct answer: Use an IAM policy that allows users to create only encrypted Amazon Elastic Block Store (Amazon EBS) volumes. Use AWS Config and AWS Systems Manager to automate detection and remediation of unencrypted EBS volumes..
Why this is the answer
The correct solution combines preventative and detective/remediative measures with minimal overhead. An IAM policy preventing the creation of unencrypted EBS volumes is a strong preventative control. AWS Config is designed for continuous monitoring and evaluation of resource compliance against desired configurations, making it ideal for detecting noncompliant (unencrypted) EBS volumes. AWS Systems Manager Automation can then be used to automatically remediate these findings, such as encrypting existing unencrypted volumes or stopping non-compliant instances. Using AWS KMS alone doesn't enforce encryption creation, only manages keys. AWS Lambda and EventBridge can automate, but Config and Systems Manager are purpose-built for compliance and remediation. Amazon Macie focuses on sensitive data discovery, not EBS encryption enforcement. Amazon Inspector is for vulnerability management, not EBS encryption compliance.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed