Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 371 discussion

https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html#:~:text=encrypted%20Amazon%20EBS%20volumes%20without%20using%20a%20launch%20template%2C%20encrypt%20all%20new%20Amazon%20EBS%20volumes%20created%20in%20your%20account.

Quickly rule out A (which plugin? > overhead) and E because of bad practice Among B,C,D: B and C are functionally similar > choice must be between B or C, D is fixed Between B and C: C is out since it set default for all EBS volume in the region, which is more than required and even wrong, say what if other EBS volumes of other applications in the region have different requirement?

CD This options are wrongly stated in my understanding. B is wrong because you can not encrypt an unencrypted created ebs volume. You need to take a snapshot of the volume, encrypt the snapshot ,creat new ebs volume from snapshot. You can also enable encryption during creation. So the statement is wrong. The next available option can only be C, except that in that account all ebs volumes created would be encrypted, this is also questionable. Because if another person create a new ebs volumes it's automatically encrypted.

A and E are obvious nos. D is a shoo-in. The difference between B&C is basicually EBS encrption by default vs encrption. Encryption by default is by region, and encrypt everything in that region going forward, versus simple encryption is volume by volume, C is less operational overhead. Check doc & chatGPT.

this one is going on my skip list

If question is giving a requirement related to a particular case and asking to encrypt all data at rest; it is clear that encryption is for this case only and not for other projects in entire region. so option B is more appropriate along with option D.

It says: 'The company must encrypt ALL data at rest', so there is nothing wrong with 'enabling EBS encryption by default' . C & D

B&D are correct. C is wrong because when you turn on encryption by defaul, AWS uses its own key while the requirement is using Customer key. Detail is here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default

Not A (avoid 3rd party plugins when there are native services) Not C ("encryption by default" would impact other services) Not E (Keys belong in KMS, not in EKS cluster)

EBS encryption is set regionally. AWS account is global but it does not mean EBS encryption is enable by default at account level. default EBS encryption is a regional setting within your AWS account. Enabling it in a specific region ensures that all new EBS volumes created in that region are encrypted by default, using either the default AWS managed key or a customer managed key that you specify.

IF you need to encrypt an unencrypted volume, • Create an EBS snapshot of the volume • Encrypt the EBS snapshot ( using copy ) • Create new EBS volume from the snapshot ( the volume will also be encrypted ) so it has an operational overhead. So assuming they won't use this account for anything else we can use C. Enable EBS encryption by default in the AWS Region where the EKS cluster will be created. Select the customer managed key as the default key.

Option D is required wither way. Technically both option B and C would work, but with B you would have to enable encryption node by node, while with option C provides a onetime action of enabling encryption on all nodes. The requirement is the option with LEAST operational overhead.

These options allow EBS encryption with the customer managed KMS key with minimal operational overhead: C) Setting the KMS key as the regional EBS encryption default automatically encrypts new EKS node EBS volumes. D) The IAM role grants the EKS nodes access to use the key for encryption/decryption operations.

C - enable EBS encryption by default in a region -https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html D - Provides key access permission just to the EKS cluster without changing broader IAM permissions

I was in doubt between B and C. You can't "Enable EBS encryption by default in the AWS Region". Enable EBS encryption by default is only possible at Account level, not Region. B is the right option once you can enable encryption on the EBS volume with KMS and custom KMS.

It's C and D. I tried it in my AWS console. C seems to have fewer operations ahead compared to B.

B and C. Unless the key policy explicitly allows it, you cannot use IAM policies to allow access to a KMS key. Without permission from the key policy, IAM policies that allow permissions have no effect.