Which combination of steps should the solutions architect take to meet these requirements?

By:
On:
In: SAP-C02
Tagged:
With: 0 Comments
A company has multiple AWS accounts.The company recently had a security audit that revealed many unencrypted Amazon Elastic Block Store (Amazon EBS) volumes attached to Amazon EC2 instances.A solutions architect must encrypt the unencrypted volumes and ensure that unencrypted volumes will be detected automatically in the future.Additionally, the company wants a solution that can centrally manage multiple AWS accounts with a focus on compliance and security.

Which combination of steps should the solutions architect take to meet these requirements?

(Choose two.)

Create an organization in AWS Organizations. Set up AWS Control Tower, and turn on the strongly recommended controls (guardrails). Join all accounts to the organization. Categorize the AWS accounts into OUs.

Use the AWS CLI to list all the unencrypted volumes in all the AWS accounts. Run a script to encrypt all the unencrypted volumes in place.

Create a snapshot of each unencrypted volume. Create a new encrypted volume from the unencrypted snapshot. Detach the existing volume, and replace it with the encrypted volume.

Create an organization in AWS Organizations. Set up AWS Control Tower, and turn on the mandatory controls (guardrails). Join all accounts to the organization. Categorize the AWS accounts into OUs.

Turn on AWS CloudTrail. Configure an Amazon EventBridge rule to detect and automatically encrypt unencrypted volumes.

Explanations:

Setting up AWS Organizations and Control Tower helps manage multiple accounts centrally, providing governance, compliance, and security controls, which is necessary for detecting and managing unencrypted volumes across accounts.

While using the AWS CLI to list and encrypt volumes is a practical approach, it does not provide a centralized solution or automate future detection, which is a requirement.

Creating snapshots of unencrypted volumes and replacing them with encrypted volumes is the correct method to ensure encryption. This step directly addresses the immediate issue of unencrypted volumes.

While setting up AWS Organizations and Control Tower is beneficial, turning on mandatory controls (guardrails) does not directly contribute to the detection and encryption of unencrypted EBS volumes, as the recommended controls would likely cover more compliance aspects.

Turning on AWS CloudTrail and configuring EventBridge for automatic detection is a good strategy; however, the specific action to encrypt the volumes automatically is not adequately addressed, making this option incomplete for the requirements.

Leave a Reply

Your email address will not be published. Required fields are marked *

ten + sixteen =