What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?
On a recurring basis, update all IAM user policies to require that EC2 instances are created with an encrypted volume.
Configure an AWS Config rule to run on a recurring basis for volume encryption.
Set up Amazon Inspector rules for volume encryption to run on a recurring schedule.
Use CloudWatch Logs to determine whether instances were created with an encrypted volume.
Explanations:
Updating IAM user policies to require encrypted volumes does not provide a monitoring mechanism; it only enforces policy during instance creation. Existing volumes may remain unmonitored.
AWS Config can continuously monitor and assess the configuration of AWS resources, including EBS volume encryption. It can be set to run evaluations on a recurring basis, ensuring compliance with encryption requirements.
Amazon Inspector is designed for security assessments of applications and their configurations, not specifically for monitoring EBS volume encryption. It cannot directly check for encryption status on a recurring basis.
CloudWatch Logs can capture logs from EC2 instances but are not inherently designed to check for volume encryption status. This method would not provide a direct or efficient way to monitor encryption compliance.