Which of the following methods will ensure that the data is unreadable by anyone else?

By:
In: SCS-C01
Tagged:
With: 1 Comment
Example.com hosts its internal document repository on Amazon EC2 instances.The application runs on EC2 instances and previously stored the documents on encrypted Amazon EBS volumes.To optimize the application for scale, example.com has moved the files to Amazon S3.The security team has mandated that all the files are securely deleted from the EBS volume, and it must certify that the data is unreadable before releasing the underlying disks.

Which of the following methods will ensure that the data is unreadable by anyone else?

Change the volume encryption on the EBS volume to use a different encryption mechanism. Then, release the EBS volumes back to AWS.

Release the volumes back to AWS. AWS immediately wipes the disk after it is deprovisioned.

Delete the encryption key used to encrypt the EBS volume. Then, release the EBS volumes back to AWS.

Delete the data by using the operating system delete commands. Run Quick Format on the drive and then release the EBS volumes back to AWS.

Explanations:

Changing the encryption mechanism does not securely delete the data; it only re-encrypts it with a new key.

AWS does wipe EBS volumes upon release, but this is done on AWS’s timeline and does not meet immediate security requirements.

Deleting the encryption key renders the encrypted data unreadable. Without the key, data cannot be decrypted, ensuring it is inaccessible.

Operating system delete and quick format commands do not fully delete data; they only mark sectors as free, leaving data recoverable.

2025-10-09

1 Comment

  1. Samantha
    Author

    In my experience, the answer is:
    Delete the encryption key used to encrypt the EBS volume. Then, release the EBS volumes back to AWS.

Leave a Reply to Samantha Cancel reply

Your email address will not be published. Required fields are marked *

1 × three =