Which solution will meet this requirement with the LEAST effort?
Create an Amazon EventBridge (Amazon CloudWatch Events) rule to detect the creation of unencrypted EBS volumes. Invoke an AWS Lambda function to delete noncompliant volumes.
Use AWS Audit Manager with data encryption.
Create an AWS Config rule to detect the creation of a new EBS volume. Encrypt the volume by using AWS Systems Manager Automation.
Turn on EBS encryption by default in all AWS Regions.
Explanations:
While creating an EventBridge rule to detect unencrypted volumes and invoking a Lambda function to delete them can enforce compliance, it requires additional effort to manage the deletion of volumes and does not prevent the creation of unencrypted volumes in the first place.
AWS Audit Manager is primarily used for auditing and assessing compliance over time but does not directly enforce encryption on newly created EBS volumes. It does not provide a proactive solution to ensure all new volumes are encrypted.
Creating an AWS Config rule to detect unencrypted volumes and using AWS Systems Manager Automation to encrypt them would enforce compliance; however, it involves multiple steps and ongoing management to react to non-compliant volumes, which increases effort.
Turning on EBS encryption by default in all AWS Regions ensures that all new EBS volumes are automatically encrypted upon creation without requiring any additional action or monitoring, thus meeting the requirement with the least effort.