What should the solutions architect do to accomplish this?
Enable EBS encryption by default for the AWS Region.
Enable EBS encryption by default for the specific volumes.
Create a new volume and specify the symmetric customer master key (CMK) to use for encryption.
Create a new volume and specify the asymmetric customer master key (CMK) to use for encryption.
Explanations:
Enabling EBS encryption by default for the AWS Region ensures that all newly created EBS volumes are automatically encrypted, including those restored from unencrypted snapshots. This is the best practice to ensure that all EBS volumes, regardless of their origin, are encrypted without manual intervention.
Enabling EBS encryption by default for specific volumes does not address volumes restored from unencrypted snapshots, as those would not inherit encryption settings unless explicitly specified at the time of creation. This option lacks the comprehensive coverage needed for all scenarios.
Creating a new volume and specifying a symmetric customer master key (CMK) does encrypt that particular volume, but it is not a default solution for all unencrypted snapshots. Each volume restoration would require manual intervention to specify encryption, which is not a scalable solution.
Creating a new volume with an asymmetric CMK is not applicable for EBS encryption, as EBS uses symmetric keys for encryption. Therefore, this option is incorrect as it describes a non-viable approach for EBS encryption.
If I’m correct, the answer is:
Enable EBS encryption by default for the AWS Region.