Q7 — AWS SAA-C03 Ch.5

Question 7 of 65 | ← Chapter 5

Q307. A company uses AWS Organizations with all features enabled and runs multiple Amazon EC2 workloads in the ap-southeast-2 Region.The company has a service control policy(SCP) that prevents any resources from being created in any other Region. A security policy requires the company to encrypt all data at rest. An audit discovers that employees have created Amazon Elastic Block Store (Amazon EBS) volumes for EC2 instances without encrypting the volumes.The company wants any new EC2 instances that any IAM user or root user launches in ap-southeast-2 to use encrypted EBS volumes. The company wants a solution that will have minimal effect on employees who create EBS volumes. Which combination of steps will meet these requirements?(Select TWO.)

Correct Answer: C. Create an SCP Attach the SCP to the root organizational unit (OU). Define the SCP to deny the ec2:CreateVolume action when the ec2:Encrypted condition equals false, E. In the Organizations management account, specify the Default EBS volume encryption setting

Explanation

Option C: Creating an SCP and attaching it to the root organizational unit (OU) to deny the ec2:CreateVolume action when the ec2:Encrypted condition equals false will enforce the security policy of encrypting all EBS volumes for new EC2 instances launched in ap-southeast-2. This will not impact employees who create EBS volumes as it only applies to new instances. Option E: Specifying the Default EBS volume encryption setting in the Organizations management account will ensure that any new EC2 instances launched in ap-southeast-2 will use encrypted EBS volumes by default. This will meet the company's requirement of having minimal effect on employees who create EBS volumes.Option A: Selecting the EBS encryption account attribute and defining a default encryption key in the Amazon EC2 console will not enforce the security policy of encrypting all EBS volumes for new EC2 instances launched in ap-southeast-2. This option only defines the default encryption key for all EBS volumes created in the AWS account, which may impact existing workflows or scripts. Options B and D involve creating an IAM permission boundary or updating IAM policies for each account to deny the ec2:CreateVolume action when the ec2:Encrypted condition equals false. While these options will enforce the security policy of encrypting EBS volumes, they may have an impact on employees who create EBS volumes as it may require them to modify their existing workflows or scripts.