Exam AWS Certified Cloud Practitioner CLF-C02 topic 1 question 231 discussion

Not sure, but going for B: While AWS KMS does the encryption on a technical level, the customer needs to initiate the configuration in AWS KMS to do the encryption?! Otherwise, there wouldn't be unencrypted devices. Found this "You can enable encryption automatically on all new EBS volumes and snapshot copies in your AWS account and Region." This "you" is the customer... semantics, I know. Still going for B. https://docs.aws.amazon.com/kms/latest/developerguide/services-ebs.html

The answer is B. The customer has to select AWS KMS. If the customer does not explicit select it then nothing will be encrypted. The question asks "who enables encryption" not what is used to encrypt. Therefore, since the user has to enable the service the answer should be B the user.

Open the Amazon EC2 console at Select the Region from the navigation bar Select EC2 Dashboard from the navigation pane Choose Account Attributes, then Data protection and security in the upper-right corner In the EBS encryption section, choose Manage Select Enable for Always encrypt new EBS volumes Choose a default encryption key Select Update EBS encryption

B. AWS customers

A. AWS Support - AWS Support does not directly enable encryption for EBS. They provide support and guidance, but the customer or AWS KMS is responsible for enabling encryption. B. AWS customers - AWS customers are responsible for enabling encryption for their EBS volumes, but they do so using AWS KMS. C. AWS Key Management Service (AWS KMS) - AWS KMS is the service that provides the encryption keys and enables encryption of data at rest for Amazon EBS. Customers can use AWS KMS to create, manage, and use cryptographic keys to protect their data. D. AWS Trusted Advisor - AWS Trusted Advisor is a service that provides recommendations to optimize your AWS environment, but it does not directly enable encryption for EBS volumes. So, the correct answer is option C. AWS Key Management Service (AWS KMS) enables encryption of data at rest for Amazon Elastic Block Store (Amazon EBS).

Who refers to a person but can also refer to a non-person, which depends on context and grammar usage. I'll go with B.) AWS Customer Data at rest is not enabled by default, which would require the customer's interaction to make it so. That's my logic for the question.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html If customer selects/uses AWS KMS key for EBS encryption then KMS key policy allows any user with with access to the required AWS KMS actions to use this KMS key to encrypt or decrypt EBS resources. So answer is B.

According to the official documentation, when you create an encrypted EBS volume and attach it to a supported instance type, data stored at rest on the volume, disk I/O, and snapshots created from the volume are all encrypted. The encryption occurs on the servers that host EC2 instances, providing encryption of data-in-transit from EC2 instances to EBS storage 1. The encryption is performed using AWS Key Management Service (AWS KMS) keys when creating encrypted volumes and snapshots. The data key is generated by AWS KMS and then encrypted by AWS KMS with your AWS KMS key prior to being stored with your volume information. All snapshots, and any subsequent volumes created from those snapshots using the same AWS KMS key share the same data key 2. Therefore, the correct answer is C. AWS Key Management Service (AWS KMS).

For me c si correct answer

The data key is generated by AWS KMS and then encrypted by AWS KMS with your AWS KMS key prior to being stored with your volume information

Encryption at EBS is enabled by Aws KMS

https://docs.aws.amazon.com/kms/latest/developerguide/services-ebs.html

B is correct