ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 370 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 370
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company has multiple AWS accounts. The company recently had a security audit that revealed many unencrypted Amazon Elastic Block Store (Amazon EBS) volumes attached to Amazon EC2 instances.

A solutions architect must encrypt the unencrypted volumes and ensure that unencrypted volumes will be detected automatically in the future. Additionally, the company wants a solution that can centrally manage multiple AWS accounts with a focus on compliance and security.

Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

  • A. Create an organization in AWS Organizations. Set up AWS Control Tower, and turn on the strongly recommended controls (guardrails). Join all accounts to the organization. Categorize the AWS accounts into OUs.
  • B. Use the AWS CLI to list all the unencrypted volumes in all the AWS accounts. Run a script to encrypt all the unencrypted volumes in place.
  • C. Create a snapshot of each unencrypted volume. Create a new encrypted volume from the unencrypted snapshot. Detach the existing volume, and replace it with the encrypted volume.
  • D. Create an organization in AWS Organizations. Set up AWS Control Tower, and turn on the mandatory controls (guardrails). Join all accounts to the organization. Categorize the AWS accounts into OUs.
  • E. Turn on AWS CloudTrail. Configure an Amazon EventBridge rule to detect and automatically encrypt unencrypted volumes.
Show Suggested Answer Hide Answer
Suggested Answer: AC 🗳️
by cypkir at Nov. 22, 2023, 7:46 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
J0n102
Highly Voted 1 year, 6 months ago
Selected Answer: AC
A: strongly recommended controls - detects whether the Amazon EBS volumes attached to an Amazon EC2 instance are encrypted C: Best way to encrypt an unencrypted volume
upvoted 6 times
...
Russs99
Highly Voted 1 year, 6 months ago
Selected Answer: AC
the appropriate guardrail is: A Strongly recommended guardrail: Detect Whether Encryption is Enabled for Amazon EBS Volumes Attached to Amazon EC2 Instances. This guardrail continuously monitors your environment and detects any EC2 instances with unencrypted EBS volumes attached
upvoted 5 times
...
AzureDP900
Most Recent 7 months, 2 weeks ago
Option A is correct because setting up an organization with AWS Control Tower will help centrally manage multiple AWS accounts and ensure compliance and security. Joining all accounts to the organization ensures that encryption is enforced across all accounts. Option C is also correct because creating snapshots of each unencrypted volume, encrypting them, and replacing the original volumes with encrypted ones is a more efficient and automated way to handle the encryption.
upvoted 1 times
...
vip2
11 months, 3 weeks ago
Selected Answer: AC
A and C are correct according to https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-controls.html#ebs-enable-encryption
upvoted 2 times
...
kejam
1 year, 4 months ago
Selected Answer: AC
https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-controls.html#ebs-enable-encryption
upvoted 1 times
...
career360guru
1 year, 5 months ago
Selected Answer: AC
Option A & C
upvoted 1 times
...
ayadmawla
1 year, 6 months ago
Selected Answer: AC
Answer A+C
upvoted 1 times
...
shaaam80
1 year, 6 months ago
Selected Answer: AC
Answer AC
upvoted 2 times
...
tfl
1 year, 7 months ago
Selected Answer: AC
AC for sure. Unencrypted EBS detection is part of strongly recommended guardrails, and you cannot encrypt a volume or snapshot in place. You need to create a new encrypted volume from an unencrypted snapshot, and attach it to the instance.
upvoted 4 times
...
shaaam80
1 year, 7 months ago
Selected Answer: AE
"and ensure that unencrypted volumes will be detected automatically in the future. " - to automatically detect unencrypted volumes, we need CloudTrail and Eventbridge to detect and encrypt unencrypted volumes automatically.
upvoted 3 times
shaaam80
1 year, 6 months ago
Changing to A&C.
upvoted 2 times
...
...
pic1
1 year, 7 months ago
Selected Answer: AE
"...centrally manage multiple AWS accounts with a focus on compliance and security", and "...ensure that unencrypted volumes will be detected automatically..."
upvoted 2 times
...
devalenzuela86
1 year, 7 months ago
BD for sure
upvoted 2 times
devalenzuela86
1 year, 7 months ago
Change to BE Creating an organization in AWS Organizations, setting up AWS Control Tower, and turning on the mandatory controls (guardrails) (Option D) is not required since the strongly recommended controls (guardrails) are sufficient
upvoted 1 times
...
...
cypkir
1 year, 7 months ago
Selected Answer: AC
Answer: A C
upvoted 4 times
devalenzuela86
1 year, 7 months ago
https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-encrypt-existing-and-new-amazon-ebs-volumes.html Creating a snapshot of each unencrypted volume, creating a new encrypted volume from the unencrypted snapshot, detaching the existing volume, and replacing it with the encrypted volume (Option C) is not required since the volumes can be encrypted in place
upvoted 1 times
heatblur
1 year, 7 months ago
The volumes can not be encrypted in place -- see the steps (copy/pasted from the link you shared): 1. AWS Config detects an unencrypted EBS volume. 2. An administrator uses AWS Config to send a remediation command to Systems Manager. 3. The Systems Manager automation takes a snapshot of the unencrypted EBS volume. 4. The Systems Manager automation uses AWS KMS to create an encrypted copy of the snapshot. 5. The Systems Manager automation does the following: Stops the affected EC2 instance if it is running. Attaches the new, encrypted copy of the volume to the EC2 instance. Returns the EC2 instance to its original state. Also, under the Limitations section: "When you remediate existing, unencrypted EBS volumes, ensure that the EC2 instance is not in use. This automation shuts down the instance in order to detach the unencrypted volume and attach the encrypted one. There is downtime while the remediation is in progress."
upvoted 1 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel