What is the MOST efficient way for the Administrator to meet this requirement?
Create an AWS Lambda function to run on a daily schedule, and have the function run the aws ec2 describe-volumes –filters encrypted command.
Within AWS Config, configure the encrypted-volumes managed rule and specify the key ID of the CMK.
Log in to the AWS Management Console on a daily schedule, then filter the list of volumes by encryption status, then export this list.
Create an AWS Lambda function to run on a daily schedule, and have the function run the aws kms describe-key command.
Explanations:
Running theaws ec2 describe-volumes –filters encryptedcommand only checks for the encryption status of existing volumes. It does not ensure that new volumes are encrypted with a specific AWS KMS CMK.
AWS Config’sencrypted-volumesmanaged rule can be used to monitor and enforce encryption of EBS volumes. By specifying the key ID of the CMK, it ensures that both existing and future volumes are encrypted with the desired key.
Manually logging into the AWS Management Console and exporting a list of volumes based on encryption status is a time-consuming process and does not provide an automated way to ensure future volumes are encrypted with the correct CMK.
Running theaws kms describe-keycommand checks details of the KMS key itself but does not address the encryption status of EBS volumes. This command is not relevant for monitoring or enforcing encryption on EBS volumes.