Q59 — AWS DOP-C02 Ch.1

Question 59 of 100 | ← Chapter 1

A company uses AWS Organizations to manage multiple accounts. Its information security policy requires unencrypted Amazon EBS volumes to be marked non-compliant. A DevOps engineer must automatically deploy a solution and ensure this compliance check remains continuously enforced. Which solution achieves this?

Correct Answer: B. Create an AWS Config organization rule to check whether EBS encryption is enabled and deploy it using the AWS CLI. Create and apply an SCP to prevent stopping or deleting AWS Config across the entire organization.

Explanation

AWS Config organization rules enable centralized, consistent monitoring of resource configurations across all accounts in an organization—including EBS encryption status. Deploying such a rule via AWS CLI ensures uniform enforcement. Applying an SCP to prohibit disabling or deleting AWS Config guarantees the rule remains active and effective—meeting the security policy requirement to flag unencrypted EBS volumes as non-compliant. Thus, Option B is correct.