Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 887 discussion

AnswerA The task is to force automatic encryption for every new EBS volume and prevent possibility of creation any unencrypted volume hence: https://docs.aws.amazon.com/ebs/latest/userguide/work-with-ebs-encr.html#ebs-encryption_key_mgmt To enable encryption by default for a Region Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. From the navigation bar, select the Region. From the navigation pane, select EC2 Dashboard. In the upper-right corner of the page, choose Account Attributes, Data protection and security. Choose Manage. Select Enable. You keep the AWS managed key with the alias alias/aws/ebs created on your behalf as the default encryption key, or choose a symmetric customer managed encryption key. Choose Update EBS encryption.

"EBS volumes are encrypted by default"....I would choose B over A

https://docs.aws.amazon.com/ebs/latest/userguide/encryption-by-default.html You can configure your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create. For example, Amazon EBS encrypts the EBS volumes created when you launch an instance and the snapshots that you copy from an unencrypted snapshot. For examples of transitioning from unencrypted to encrypted EBS resources, see https://docs.aws.amazon.com/ebs/latest/userguide/ebs-encryption.html#encrypt-unencrypted: To enable encryption by default for a Region %aws ec2 enable-ebs-encryption-by-default --region region In the upper-right corner of the page, choose Account Attributes, Data protection and security.

A - This automatically encrypts all newly created volumes, but can't prevent unencrypted volumes. B - AWS Config can enforce and automate compliance by using a rule to check whether all EBS volumes are encrypted. C - Creating encrypted copies of volumes after they are created? Why bother to do this D - What does Migration Hub have to do with this... I don't understand.

https://docs.aws.amazon.com/ebs/latest/userguide/encryption-by-default.html

"The solution must also prevent the creation of unencrypted EBS volumes." For prevention future actions, I go for AWS config. You can setup Encryption in EC2, but Its manual process, what happen if you add one or more EC2?

AnswerA https://docs.aws.amazon.com/ebs/latest/userguide/work-with-ebs-encr.html#ebs-encryption_key_mgmt To enable encryption by default for a Region Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. From the navigation bar, select the Region. From the navigation pane, select EC2 Dashboard. In the upper-right corner of the page, choose Account Attributes, Data protection and security. Choose Manage. Select Enable. You keep the AWS managed key with the alias alias/aws/ebs created on your behalf as the default encryption key, or choose a symmetric customer managed encryption key. Choose Update EBS encryption.

A. https://repost.aws/knowledge-center/ebs-automatic-encryption

As it needs to prevent creation of Unencrypted EBS volume

B es correcto , AWS Config para identificar automáticamente los volúmenes de EBS no cifrados y aplicar una acción correctiva.A,C,D : incorrectas , no cumplen con el cifrado automático