ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 518 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 518
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company has deployed applications to thousands of Amazon EC2 instances in an AWS account. A security audit discovers that several unencrypted Amazon Elastic Block Store (Amazon EBS) volumes are attached to the EC2 instances. The company’s security policy requires the EBS volumes to be encrypted.

The company needs to implement an automated solution to encrypt the EBS volumes. The solution also must prevent development teams from creating unencrypted EBS volumes.

Which solution will meet these requirements?

  • A. Configure the AWS Config managed rule that identifies unencrypted EBS volumes. Configure an automatic remediation action. Associate an AWS Systems Manager Automation runbook that includes the steps to create a new encrypted EBS volume. Create an AWS Key Management Service (AWS KMS) customer managed key. In the key policy, include a statement to deny the creation of unencrypted EBS volumes.
  • B. Use AWS Systems Manager Fleet Manager to create a list of unencrypted EBS volumes, Create a Systems Manager Automation runbook that includes the steps to create a new encrypted EBS volume. Create an SCP to deny the creation of unencrypted EBS volumes.
  • C. Use AWS Systems Manager Fleet Manager to create a list of unencrypted EBS volumes. Create a Systems Manager Automation runbook that includes the steps to create a new encrypted EBS volume. Modify the AWS account setting for EBS encryption to always encrypt new EBS volumes.
  • D. Configure the AWS Config managed rule that identifies unencrypted EBS volumes. Configure an automatic remediation action. Associate an AWS Systems Manager Automation runbook that includes the steps to create a new encrypted EBS volume. Modify the AWS account setting for EBS encryption to always encrypt new EBS volumes.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by awsaz at June 28, 2024, 11:27 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
AzureDP900
5 months, 1 week ago
Option D meet the requirements of automatically encrypting existing unencrypted EBS volumes and preventing development teams from creating unencrypted EBS volumes, you can configure an AWS Config managed rule that identifies unencrypted EBS volumes. The automatic remediation action should be to create a new encrypted EBS volume and replace the old one. Additionally, modifying the AWS account setting for EBS encryption to always encrypt new EBS volumes ensures that no more unencrypted EBS volumes are created in the future.
upvoted 2 times
...
sammyhaj
5 months, 2 weeks ago
Selected Answer: B
Issue is that NONE prevent new EBS volumes to be launched without encryption, albiet systems manager can remediate it isn't ideal. regardless you need a solution to PREVENT 100% unecrypted drives, and this is only done via SCP. other items can be circumvented by CLI
upvoted 1 times
alexbraila
4 months, 2 weeks ago
SCPs are not available in this case, as the question is about a standalone AWS account, not an organization
upvoted 2 times
...
...
Daniel76
6 months, 1 week ago
Selected Answer: D
https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-encrypt-existing-and-new-amazon-ebs-volumes.html 1. Use AWS Config to detects an unencrypted EBS volume. Not fleet manager. B and C out. 2. System manager runbook is the automation that create encrypted copy of the EBS snapshot and replace the encrypted EBS with the encrypted copy. The KMS is used for the encryption and it cannot be used to deny creation of unencrypted EBS volume (A is out).
upvoted 2 times
...
PSPaul
6 months, 1 week ago
My answer is D Proactive Remediation: The AWS Config rule and Automation runbook identify and remediate existing unencrypted volumes automatically. Preventive Measure: The modified AWS account setting ensures that all new EBS volumes created in the account are automatically encrypted. This approach provides a comprehensive solution that addresses both existing unencrypted volumes and future volume creation. Why not Option A: While it addresses the issue of existing unencrypted volumes, it doesn't prevent future unencrypted volume creation.
upvoted 2 times
...
vip2
10 months ago
Selected Answer: D
D is correct instead of A because AWS support change account setting for EBS encryption
upvoted 3 times
...
Helpnosense
10 months, 1 week ago
Selected Answer: D
Use config to find unencrypted EBS. Change the default setting.
upvoted 2 times
...
kupo777
10 months, 1 week ago
D Enabling default encryption for EBSs prevents the creation of unencrypted EBSs.
upvoted 2 times
...
awsaz
10 months, 1 week ago
Selected Answer: D
the answer is D
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago