Which combination of steps should the solutions architect take to meet these requirements?
(Choose two.)
Create an organization in AWS Organizations. Set up AWS Control Tower, and turn on the strongly recommended guardrails. Join all accounts to the organization. Categorize the AWS accounts into OUs.
Use the AWS CLI to list all the unencrypted volumes in all the AWS accounts. Run a script to encrypt all the unencrypted volumes in place.
Create a snapshot of each unencrypted volume. Create a new encrypted volume from the unencrypted snapshot. Detach the existing volume, and replace it with the encrypted volume.
Create an organization in AWS Organizations. Set up AWS Control Tower, and turn on the mandatory guardrails. Join all accounts to the organization. Categorize the AWS accounts into OUs.
Turn on AWS CloudTrail. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule to detect and automatically encrypt unencrypted volumes.
Explanations:
AWS Control Tower provides centralized management for compliance and security across multiple AWS accounts. The strongly recommended guardrails enforce best practices for security and compliance, and organizing accounts into organizational units (OUs) allows for easier management of policies.
Using the AWS CLI to list and manually encrypt volumes in place does not provide an automated, scalable solution. Additionally, the process would require downtime and is prone to errors. It does not address automatic detection of unencrypted volumes in the future.
Creating a snapshot of each unencrypted volume and then creating a new encrypted volume from the snapshot is a valid approach to encrypting existing unencrypted volumes. It ensures that the volumes are securely encrypted without data loss.
Turning on mandatory guardrails in AWS Control Tower is not the best fit for the specific compliance goal here. The “strongly recommended” guardrails are a better choice as they align more closely with securing and managing resources across accounts, particularly in terms of encryption.
AWS CloudTrail and EventBridge rules can be used to monitor for events, but they do not automatically encrypt unencrypted volumes. This setup would help detect unencrypted volumes but does not solve the issue of encryption directly.