Which solution will meet these requirements?

By:
On:
In: SAP-C02
Tagged:
With: 0 Comments
A company has deployed applications to thousands of Amazon EC2 instances in an AWS account.A security audit discovers that several unencrypted Amazon Elastic Block Store (Amazon EBS) volumes are attached to the EC2 instances.The company’s security policy requires the EBS volumes to be encrypted.The company needs to implement an automated solution to encrypt the EBS volumes.The solution also must prevent development teams from creating unencrypted EBS volumes.

Which solution will meet these requirements?

Configure the AWS Config managed rule that identifies unencrypted EBS volumes. Configure an automatic remediation action. Associate an AWS Systems Manager Automation runbook that includes the steps to create a new encrypted EBS volume. Create an AWS Key Management Service (AWS KMS) customer managed key. In the key policy, include a statement to deny the creation of unencrypted EBS volumes.

Use AWS Systems Manager Fleet Manager to create a list of unencrypted EBS volumes, Create a Systems Manager Automation runbook that includes the steps to create a new encrypted EBS volume. Create an SCP to deny the creation of unencrypted EBS volumes.

Use AWS Systems Manager Fleet Manager to create a list of unencrypted EBS volumes. Create a Systems Manager Automation runbook that includes the steps to create a new encrypted EBS volume. Modify the AWS account setting for EBS encryption to always encrypt new EBS volumes.

Configure the AWS Config managed rule that identifies unencrypted EBS volumes. Configure an automatic remediation action. Associate an AWS Systems Manager Automation runbook that includes the steps to create a new encrypted EBS volume. Modify the AWS account setting for EBS encryption to always encrypt new EBS volumes.

Explanations:

While this option configures AWS Config to identify unencrypted EBS volumes and sets up automatic remediation with a runbook, it does not prevent the creation of unencrypted volumes as required by the company’s security policy. The key policy statement to deny unencrypted volume creation is not a valid method to enforce encryption on volume creation.

This option creates a list of unencrypted EBS volumes and an automation runbook to create encrypted volumes, but it relies on Service Control Policies (SCPs) to deny unencrypted volume creation. SCPs apply at the organization level, not per account, and thus cannot enforce the prevention of unencrypted EBS volumes directly. Additionally, it lacks a proactive measure to automatically remediate unencrypted volumes.

This option uses AWS Systems Manager Fleet Manager to identify unencrypted EBS volumes and creates a runbook for remediation, but it does not implement an automatic remediation process. It does mention modifying the EBS encryption setting, but without configuring a proactive measure to remediate existing unencrypted volumes, it fails to meet the requirement fully.

This option effectively identifies unencrypted EBS volumes using AWS Config, sets up an automatic remediation action with a runbook, and modifies the AWS account settings to always encrypt new EBS volumes. This comprehensive approach ensures both existing and future EBS volumes comply with the security policy.

Leave a Reply

Your email address will not be published. Required fields are marked *

5 × 5 =