A company plans to rehost an application to Amazon EC2 instances that use Amazon Elastic Block Store (Amazon EBS) for attached storage. A solutions architect must ensure all newly created Amazon EBS volumes are encrypted by default and prevent creation of unencrypted EBS volumes. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Configure the EC2 account attributes to always encrypt new EBS volumes..
Why this is the answer
Configuring the EC2 account attributes to always encrypt new EBS volumes is the most direct and effective way to enforce encryption by default for all new EBS volumes created in that region. This setting ensures that any new EBS volume, whether created from a snapshot, an AMI, or as a new empty volume, is automatically encrypted. This also prevents the creation of unencrypted EBS volumes, as any attempt to create one will fail or be automatically encrypted. Using AWS Config with the encrypted-volumes identifier would only detect non-compliant volumes after they are created, not prevent their creation. AWS Systems Manager can automate tasks but isn't designed to enforce default encryption at the creation stage. AWS Migration Hub and customer managed keys are for migration and key management respectively, not for enforcing default EBS encryption at the account level.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed