Q38 — AWS SCS-C02 Ch.1
Question 38 of 100 | ← Chapter 1
A company is designing a new application stack. The design includes web servers and backend servers that are hosted on Amazon EC2 instances. The design also includes an Amazon Aurora MySQL DB cluster. The EC2 instances are in an Auto Scaling group that uses launch templates. The EC2 instances for the web layer and the backend layer are backed by Amazon Elastic Block Store (Amazon EBS) volumes. No layers are encrypted at rest. A security engineer needs to implement encryption at rest. Which combination of steps will meet these requirements? (Choose two.)
- A. Modify EBS default encryption settings in the target AWS Region to enable encryption. Use an Auto Scaling group instance refresh.   ✓
- B. Modify the launch templates for the web layer and the backend layer to add AWS Certificate Manager (ACM) encryption for the attached EBS volumes. Use an Auto Scaling group instance refresh.  
- C. Create a new AWS Key Management Service (AWS KMS) encrypted DB cluster from a snapshot of the existing DB cluster.   ✓
- D. Apply AWS Key Management Service (AWS KMS) encryption to the existing DB cluster.  
- E. Apply AWS Certificate Manager (ACM) encryption to the existing DB cluster.
Correct Answer: A. Modify EBS default encryption settings in the target AWS Region to enable encryption. Use an Auto Scaling group instance refresh.  , C. Create a new AWS Key Management Service (AWS KMS) encrypted DB cluster from a snapshot of the existing DB cluster.  
Explanation
AWS中的静态数据加密涉及对EBS卷和数据库的加密处理。EBS默认加密启用后,新卷自动加密,需通过实例刷新替换原有实例。Aurora MySQL集群加密需通过快照恢复至新集群时启用。ACM用于证书管理,与EBS或数据库加密无关。选项A正确因启用默认加密并刷新实例;C正确因通过快照创建加密新集群。B、D、E涉及错误服务或不可行方法。参考AWS EBS加密和Aurora加密文档。