Which solution will meet this requirement?
Create an IAM role that specifies EBS encryption. Attach the role to the EC2 instances.
Create the EBS volumes as encrypted volumes. Attach the EBS volumes to the EC2 instances.
Create an EC2 instance tag that has a key of Encrypt and a value of True. Tag all instances that require encryption at the EBS level.
Create an AWS Key Management Service (AWS KMS) key policy that enforces EBS encryption in the account. Ensure that the key policy is active.
Explanations:
IAM roles control permissions for EC2 instances, but they do not directly control EBS encryption. EBS encryption must be set at the volume level, not via IAM roles.
Creating EBS volumes as encrypted ensures that all data written to the volume is automatically encrypted at rest. This is the correct solution.
EC2 instance tags do not control EBS encryption. Encryption needs to be configured at the volume creation level, not via instance tags.
Key policies in AWS KMS control access to encryption keys but do not enforce EBS encryption across the account. EBS encryption must be explicitly enabled when creating volumes.