Exam AWS Certified Security - Specialty topic 1 question 357 discussion

C https://docs.aws.amazon.com/autoscaling/ec2/userguide/asg-instance-refresh.html https://aws.amazon.com/premiumsupport/knowledge-center/ebs-automatic-encryption/ Turning on encryption by default doesn't change any existing unencrypted or encrypted resources. It encrypts only volumes and snapshot copies that you create after turning on default encryption.

I believe C is the right answer.

enabling encryption by default in the EC2 console does not apply to existing EBS volumes. It only applies to new EBS volumes that are created after the setting is enabled. And in question it was specifically asked 'Now'. so

based on the statement: "A security engineer must implement a solution to ensure that all EBS volumes are encrypted now and in the future" I am picking C as other volumes could be spun up outside of the ASG that were un-encrypted and B only addresses the ASG.

C is correct

Seems split between B and C. B certainly sounds feasible, but I would elimintate it simply because you're waiting for the ASG to replace all the old instances. I'd much prefer to use the instance refresh feature to replace the instances instantly. C sounds like the better option, since it will not only cover the instances in the ASG, but all other instances by default. https://repost.aws/knowledge-center/ebs-automatic-encryption If C wasn't an option, I'd likely go A though.

With B you solve the question without entropy of other configurations

sse69 links and explanation are both fine. However, this leads to Answer B as encryption by default only applies to future volumes. But we want all of them to be encrypted now as well. B takes some time until all unencrypted volumes are replaced, but its the only answer left.

Option A is incorrect because updating the launch template will not affect the existing instances with unencrypted EBS volumes. The instance refresh feature only replaces instances that are in the Auto Scaling group, but it does not change the EBS volume encryption. Option C is incorrect because it only applies to new EBS volumes and not to the existing unencrypted EBS volumes attached to the instances. Option D is also incorrect because it sets encryption of new EBS volumes to be enabled by default for each region, but it does not address the existing unencrypted EBS volumes attached to the instances.

Set the Encrypted flag for all EBS volumes to true.

D and B are INCORRECT since the Auto Scaling Groups will not inmediatelly replace the unencrypted ELBs. A is INCORRECT since every ELBs aside from the ones launched from template will be able stay unencrypted. C is the only one CORRECT since you cover the entire Region and you don't have to wait for the ELBs to be replaced.

Going with C based on Instance Refresh documentation provided. Also the 'wait' is a sign that B is not correct. I've seen many ASGs in Production that do not change for extended periods of time.

Option C doesn't answer a case that in the future the company decide to use a new region.

Guys read the question carefully "implement a solution to ensure that all EBS volumes are encrypted now and in the future".. By using the option B the instances will be launched with encryption for this autoscaling group.. But remember, in FUTURE, if you launch any instance then by default that EBS volume will NOT be encrypted... But the Option C ensures that any EBS volume launched in FUTURE will be encrypted and as well as it will also encrypt the volume of current autoscaling group. Hence the correct answer is C.

Either B or C should work. The requirement says 'now'. B says wait != now whereas C = instance refresh = now so I guess C

An instance refresh can be helpful when you have a new Amazon Machine Image (AMI) or a new user data script. To use an instance refresh, first create a new launch template that specifies the new AMI or user data script. Then, start an instance refresh to begin updating the instances in the group immediately. So its B

https://docs.aws.amazon.com/autoscaling/ec2/userguide/change-launch-config.html