A company uses AWS Organizations (all features enabled) and runs EC2 workloads in ap-southeast-2. An SCP prevents resource creation in other Regions. A security policy requires all data at rest be encrypted. An audit found employees created unencrypted EBS volumes. The company wants any new EC2 instances launched in ap-southeast-2 by any IAM or root user to use encrypted EBS volumes, with minimal impact on employees creating volumes. Which combination of steps meets these requirements? (Choose two.)
Choose an answer
Tap an option to check your answer.
Correct answer: Create an SCP. Attach the SCP to the root organizational unit (OU). Define the SCP to deny the ec2:CreateVolume action when the ec2:Encrypted condition equals false., In the Organizations management account, specify the Default EBS volume encryption setting..
Why this is the answer
The most effective solution involves two steps. First, enabling default EBS encryption at the account level ensures that all newly created EBS volumes are encrypted by default, addressing the requirement with minimal user impact. This setting applies to all EBS volumes created in the specified Region (ap-southeast-2). Second, creating an SCP that denies the ec2:CreateVolume action when ec2:Encrypted is false acts as a strong preventative control. Attaching this SCP to the root OU ensures it applies to all accounts within the organization, preventing any user from explicitly creating unencrypted volumes, even if they try to override the default setting. Updating individual IAM policies is less scalable and prone to human error compared to an SCP. An IAM permission boundary is applied to IAM users/roles, not directly to the root user or across accounts in the same way an SCP does for organizational-wide enforcement.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed