Examice

Exam SAP-C02 All QuestionsBrowse all questions from this exam

Question 369

A company has multiple AWS accounts. The company recently had a security audit that revealed many unencrypted Amazon Elastic Block Store (Amazon EBS) volumes attached to Amazon EC2 instances.

A solutions architect must encrypt the unencrypted volumes and ensure that unencrypted volumes will be detected automatically in the future. Additionally, the company wants a solution that can centrally manage multiple AWS accounts with a focus on compliance and security.

Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

Create an organization in AWS Organizations. Set up AWS Control Tower, and turn on the strongly recommended controls (guardrails). Join all accounts to the organization. Categorize the AWS accounts into OUs.

Use the AWS CLI to list all the unencrypted volumes in all the AWS accounts. Run a script to encrypt all the unencrypted volumes in place.

Create a snapshot of each unencrypted volume. Create a new encrypted volume from the unencrypted snapshot. Detach the existing volume, and replace it with the encrypted volume.

Create an organization in AWS Organizations. Set up AWS Control Tower, and turn on the mandatory controls (guardrails). Join all accounts to the organization. Categorize the AWS accounts into OUs.

Turn on AWS CloudTrail. Configure an Amazon EventBridge rule to detect and automatically encrypt unencrypted volumes.

Correct Answer: A, C

To meet the requirements of encrypting unencrypted EBS volumes and ensuring unencrypted volumes will be detected automatically in the future, two steps are necessary. First, setting up AWS Control Tower and turning on the strongly recommended controls (guardrails) within an organization in AWS Organizations will provide centralized management across multiple AWS accounts with a focus on compliance and security. This setup will enable continuous monitoring to detect any unencrypted EBS volumes. Second, since EBS volumes cannot be encrypted in place, it is necessary to first create a snapshot of each unencrypted volume, create a new encrypted volume from the unencrypted snapshot, and then detach the existing unencrypted volume and replace it with the encrypted volume. This ensures all volumes are encrypted as required.

Discussion

J0n102Options: AC

A: strongly recommended controls - detects whether the Amazon EBS volumes attached to an Amazon EC2 instance are encrypted C: Best way to encrypt an unencrypted volume

Russs99Options: AC

the appropriate guardrail is: A Strongly recommended guardrail: Detect Whether Encryption is Enabled for Amazon EBS Volumes Attached to Amazon EC2 Instances. This guardrail continuously monitors your environment and detects any EC2 instances with unencrypted EBS volumes attached

cypkirOptions: AC

Answer: A C

devalenzuela86

https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-encrypt-existing-and-new-amazon-ebs-volumes.html Creating a snapshot of each unencrypted volume, creating a new encrypted volume from the unencrypted snapshot, detaching the existing volume, and replacing it with the encrypted volume (Option C) is not required since the volumes can be encrypted in place

heatblur

The volumes can not be encrypted in place -- see the steps (copy/pasted from the link you shared): 1. AWS Config detects an unencrypted EBS volume. 2. An administrator uses AWS Config to send a remediation command to Systems Manager. 3. The Systems Manager automation takes a snapshot of the unencrypted EBS volume. 4. The Systems Manager automation uses AWS KMS to create an encrypted copy of the snapshot. 5. The Systems Manager automation does the following: Stops the affected EC2 instance if it is running. Attaches the new, encrypted copy of the volume to the EC2 instance. Returns the EC2 instance to its original state. Also, under the Limitations section: "When you remediate existing, unencrypted EBS volumes, ensure that the EC2 instance is not in use. This automation shuts down the instance in order to detach the unencrypted volume and attach the encrypted one. There is downtime while the remediation is in progress."

tflOptions: AC

AC for sure. Unencrypted EBS detection is part of strongly recommended guardrails, and you cannot encrypt a volume or snapshot in place. You need to create a new encrypted volume from an unencrypted snapshot, and attach it to the instance.

shaaam80Options: AE

"and ensure that unencrypted volumes will be detected automatically in the future. " - to automatically detect unencrypted volumes, we need CloudTrail and Eventbridge to detect and encrypt unencrypted volumes automatically.

shaaam80

Changing to A&C.

shaaam80Options: AC

Answer AC

pic1Options: AE

"...centrally manage multiple AWS accounts with a focus on compliance and security", and "...ensure that unencrypted volumes will be detected automatically..."

vip2Options: AC

A and C are correct according to https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-controls.html#ebs-enable-encryption

kejamOptions: AC

https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-controls.html#ebs-enable-encryption

career360guruOptions: AC

Option A & C

ayadmawlaOptions: AC

Answer A+C

devalenzuela86

BD for sure

devalenzuela86

Change to BE Creating an organization in AWS Organizations, setting up AWS Control Tower, and turning on the mandatory controls (guardrails) (Option D) is not required since the strongly recommended controls (guardrails) are sufficient