A solutions architect needs to ensure that all Amazon Elastic Block Store (Amazon EBS) volumes restored from unencrypted EBC snapshots are encrypted. What should the solutions architect do to accomplish this?
A.
Enable EBS encryption by default for the AWS Region.
B.
Enable EBS encryption by default for the specific volumes.
C.
Create a new volume and specify the symmetric customer master key (CMK) to use for encryption.
D.
Create a new volume and specify the asymmetric customer master key (CMK) to use for encryption.
People! it has to be A!! Question asked is to ensure that ALL volumes restored are encrypted. So have to be "Enable encryption by default" . Read here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default
That is correct. Although, option C is also true, you have to enable encryption for individual volume created from the unencrypted snapshot. When encryption by default is enabled, all volumes created from the unencrypted snapshots are automatically encrypted using the default encryption key, and if this key is to be replaced, a new symmetric CMK can be specified.
Ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
Answer is C
This statement makes the assumption that we are looking at globally enabling the setting as opposed to the specific use case as identified in the question. Yes, absolutely if we enable encryption all parents and children will be encrypted. In this scenario, the architect is presented with unencrypted snapshots and needs to utilize them to restore volumes. The only ways to achieve this are to:
1. EBS>Snapshots>Actions>Create volume from snapshot
2. EBS>Snapshots>Actions>Copy snapshot
This was also confirmed from the hands-on lab with Stephane Maarek - Udemy with this exact scenario.
We can both specify an automatic encryption on the region scope or do it manually on a ebs instance level, at creation.
Here the question states that we want to ENSURE that ALL the instances are encrypted. This can only be done by enabling encryption on the region. During that step we have to specify an encryption key anyway (just like C). The difference is that its done automatically for you for all subsequent instance creation.
My answer is A
problem script is confusing.
A.(O) If you enable encryption by default, Amazon EBS automatically encrypts new volumes and snapshots using your default KMS key for EBS encryption.(is this to verifying?)
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default
B.(X) Encryption by default is a Region-specific setting. If you enable it for a Region, you cannot disable it for individual volumes or snapshots in that Region.
C.(🔺) repeating this for each individual snapshots?
D.(X) Amazon EBS does not support asymmetric encryption KMS keys.
It should be A, Question asked is to ensure that any volume are restored must be encrypted, you enable EBS Encrypt by default then when you restore it from unencrypted snapshot it always shows enabled encryption by default and no way to disable it
A is correct : Read link here. Every EBS created in a region will get automatically encrypted if region level settings is made. Question here is about "ensuring" but not "manually doing it". https://aws.amazon.com/premiumsupport/knowledge-center/ebs-automatic-encryption/
New Amazon EBS volumes aren't encrypted by default. However, there is a setting in the Amazon Elastic Compute Cloud (Amazon EC2) console that turns on encryption by default for all new Amazon EBS volumes and snapshot copies created within a specified Region
It is A !!
Encrypt unencrypted resources
Although there is no direct way to encrypt an existing unencrypted volume or snapshot, you can encrypt them by creating either a volume or a snapshot. If you enabled encryption by default, Amazon EBS encrypts the resulting new volume or snapshot using your default KMS key for EBS encryption. Even if you have not enabled encryption by default, you can enable encryption when you create an individual volume or snapshot. Whether you enable encryption by default or in individual creation operations, you can override the default KMS key for EBS encryption and select a symmetric customer managed key. For more information, see Create an Amazon EBS volume and Copy an Amazon EBS snapshot.
There's a major confirmation bias problem on these questions. If you find one link that supports your answer ensure that you are also looking up the other answers. One may have an even BETTER reason for being the answer.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
kuman
Highly Voted 3 years, 8 months agoweilun_tann
3 years, 5 months agozxing233
3 years, 7 months agotinyshare
3 years, 7 months agostephenphyo
3 years, 8 months agorude7
2 years, 9 months agoOmar66
Highly Voted 3 years, 8 months agoOmar66
3 years, 8 months agoDewutopia
3 years, 8 months agodruprad
Most Recent 1 year, 9 months agorude7
2 years, 9 months agocutecolt
3 years, 1 month agoexamJack
3 years, 2 months agoFF11
3 years, 4 months ago25dec_
3 years, 5 months agoKavi55
3 years, 7 months agomrkid3085
3 years, 7 months agoKyleZheng
3 years, 7 months agoavt007
3 years, 7 months agowaterforce
3 years, 7 months agoCareeraspirant
3 years, 7 months agoN33327
3 years, 7 months agoKinon4
3 years, 7 months agoandwill1001
3 years, 7 months ago