Which combination of steps will meet these requirements?

By:
On:
In: SAA-C03
Tagged:
With: 0 Comments
A company uses AWS Organizations with all features enabled and runs multiple Amazon EC2 workloads in the ap-southeast-2 Region.The company has a service control policy (SCP) that prevents any resources from being created in any other Region.A security policy requires the company to encrypt all data at rest.An audit discovers that employees have created Amazon Elastic Block Store (Amazon EBS) volumes for EC2 instances without encrypting the volumes.The company wants any new EC2 instances that any IAM user or root user launches in ap-southeast-2 to use encrypted EBS volumes.The company wants a solution that will have minimal effect on employees who create EBS volumes.

Which combination of steps will meet these requirements?

(Choose two.)

In the Amazon EC2 console, select the EBS encryption account attribute and define a default encryption key.

Create an IAM permission boundary. Attach the permission boundary to the root organizational unit (OU). Define the boundary to deny the ec2:CreateVolume action when the ec2:Encrypted condition equals false.

Create an SCP. Attach the SCP to the root organizational unit (OU). Define the SCP to deny the ec2:CreateVolume action whenthe ec2:Encrypted condition equals false.

Update the IAM policies for each account to deny the ec2:CreateVolume action when the ec2:Encrypted condition equals false.

In the Organizations management account, specify the Default EBS volume encryption setting.

Explanations:

Selecting the EBS encryption account attribute in the EC2 console is not sufficient to enforce encryption for new EBS volumes. It needs to be set in the Organizations management account for all accounts.

Creating an IAM permission boundary and applying it to the root OU is not the most efficient solution. SCPs are a better fit for this organization-wide policy.

An SCP can be used to enforce encryption by denying theec2:CreateVolumeaction when theec2:Encryptedcondition equals false, ensuring compliance across accounts in the OU.

Updating IAM policies to deny theec2:CreateVolumeaction whenec2:Encryptedis false is not the best solution for enforcing encryption, as it applies on a user/role basis and does not provide a global solution.

Specifying the Default EBS volume encryption setting in the Organizations management account will automatically encrypt EBS volumes in the ap-southeast-2 region for all accounts, meeting the security policy.

Leave a Reply

Your email address will not be published. Required fields are marked *

2 × five =