Q60 — AWS DVA-C02 Ch.2
Question 60 of 100 | ← Chapter 2
A company is building a compute-intensive application that runs on a single Amazon EC2 instance. The application uses attached Amazon EBS volumes to store data. The application processes sensitive information, and all data must be encrypted at rest.
- A. Configure the Amazon EC2 instance launch template to use encrypted EBS volumes for data storage. ✓
- B. Add logic to write all data to an encrypted Amazon S3 bucket.
- C. Add custom encryption algorithms to the application to encrypt and decrypt all data.
- D. Create a new Amazon Machine Image (AMI) with an encrypted root volume and store data on the instance store (ephemeral) disk.
Correct Answer: A. Configure the Amazon EC2 instance launch template to use encrypted EBS volumes for data storage.
Explanation
Amazon EBS encryption provides transparent, server-side encryption at rest using AWS KMS keys, with no performance impact or application-level changes required. Encryption occurs on the host server, securing both data-at-rest and data-in-transit between the EC2 instance and its EBS volumes. Option A directly implements this best practice. Option B shifts storage architecture unnecessarily and may introduce latency and cost. Option C adds operational overhead, key management burden, and potential vulnerabilities. Option D uses ephemeral instance store—non-persistent, unencrypted by default, and unsuitable for durable sensitive data. Therefore, Option A is correct.