exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 808 discussion

A company has multiple AWS accounts. The company recently had a security audit that revealed many unencrypted Amazon Elastic Block Store (Amazon EBS) volumes attached to Amazon EC2 instances.
A solutions architect must encrypt the unencrypted volumes and ensure that unencrypted volumes will be detected automatically in the future. Additionally, the company wants a solution that can centrally manage multiple AWS accounts with a focus on compliance and security.
Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

  • A. Create an organization in AWS Organizations. Set up AWS Control Tower, and turn on the strongly recommended guardrails. Join all accounts to the organization. Categorize the AWS accounts into OUs.
  • B. Use the AWS CLI to list all the unencrypted volumes in all the AWS accounts. Run a script to encrypt all the unencrypted volumes in place.
  • C. Create a snapshot of each unencrypted volume. Create a new encrypted volume from the unencrypted snapshot. Detach the existing volume, and replace it with the encrypted volume.
  • D. Create an organization in AWS Organizations. Set up AWS Control Tower, and turn on the mandatory guardrails. Join all accounts to the organization. Categorize the AWS accounts into OUs.
  • E. Turn on AWS CloudTrail. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule to detect and automatically encrypt unencrypted volumes.
Show Suggested Answer Hide Answer
Suggested Answer: AC 🗳️
Reference:
https://docs.aws.amazon.com/controltower/latest/userguide/guardrails.html https://aws.amazon.com/premiumsupport/knowledge-center/create-unencrypted-volume-kms-key/

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Smartphone
Highly Voted 2 years, 11 months ago
A. CORRECT - The strongly recommended guardrails enables to detect Whether Encryption is enabled for Amazon EBS Volumes Attached to Amazon EC2 Instances (https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html) B. NOT CORRECT - This is a complete manual task C. CORRECT - This is the only way to change the unencrypted volume to encrypted volume that is attached to EC2 instances. D. NOT CORRECT - The mandatory guardrails are created by the AWS itself. (https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-guardrails.html) E. Not Correct - Cloudtrail can not solve the this problem.
upvoted 8 times
RVivek
2 years, 9 months ago
Good explanation. However C says create encrypted volume from unencruyptedsnapshot . We have to coy unencypted nopshot to an encryptedsnapsot , then create a voume from it
upvoted 1 times
...
...
AYANtheGLADIATOR
Most Recent 2 years, 3 months ago
We can't make a encrypted volume from an unencrypted snapshot.
upvoted 2 times
...
asfsdfsdf
2 years, 4 months ago
Selected Answer: AC
C for sure - no other way to do it A is the most correct other answer since EBS encryption is part of the strongly recommended guardrails https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html
upvoted 2 times
...
wahlbergusa
2 years, 11 months ago
I was gonna choose C,D but it seems the mandatory guardrails are enabled by default. (no need to manually turn them on). Hence I' d go with A,C.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...