Which solution will meet this requirement?
Create an IAM role that specifies EBS encryption. Attach the role to the EC2 instances.
Create the EBS volumes as encrypted volumes. Attach the EBS volumes to the EC2 instances.
Create an EC2 instance tag that has a key of Encrypt and a value of True. Tag all instances that require encryption at the EBS level.
Create an AWS Key Management Service (AWS KMS) key policy that enforces EBS encryption in the account. Ensure that the key policy is active.
Explanations:
Creating an IAM role that specifies EBS encryption does not automatically enforce encryption for EBS volumes. IAM roles control permissions and access, but the encryption must be set at the volume level when they are created.
Creating EBS volumes as encrypted volumes ensures that all data written to these volumes is automatically encrypted at rest. This is the direct method to ensure encryption is applied to the data stored on the EBS volumes.
Tagging EC2 instances with an “Encrypt” tag does not enforce EBS encryption. Tags are metadata and do not influence the actual configuration or encryption settings of EBS volumes. Encryption must be specified explicitly when creating the volumes.
While an AWS KMS key policy can control permissions related to the use of KMS keys for encryption, it does not enforce EBS encryption on its own. The actual volumes need to be created as encrypted; a policy does not automatically apply encryption to existing or new volumes.