SAP-C02 Exam QuestionsBrowse all questions from this exam
Go to Exam

SAP-C02 Exam - Question 369

A company has multiple AWS accounts. The company recently had a security audit that revealed many unencrypted Amazon Elastic Block Store (Amazon EBS) volumes attached to Amazon EC2 instances.

A solutions architect must encrypt the unencrypted volumes and ensure that unencrypted volumes will be detected automatically in the future. Additionally, the company wants a solution that can centrally manage multiple AWS accounts with a focus on compliance and security.

Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

Show Answer
Correct Answer: AC

To meet the requirements of encrypting unencrypted EBS volumes and ensuring unencrypted volumes will be detected automatically in the future, two steps are necessary. First, setting up AWS Control Tower and turning on the strongly recommended controls (guardrails) within an organization in AWS Organizations will provide centralized management across multiple AWS accounts with a focus on compliance and security. This setup will enable continuous monitoring to detect any unencrypted EBS volumes. Second, since EBS volumes cannot be encrypted in place, it is necessary to first create a snapshot of each unencrypted volume, create a new encrypted volume from the unencrypted snapshot, and then detach the existing unencrypted volume and replace it with the encrypted volume. This ensures all volumes are encrypted as required.

Discussion

12 comments
Sign in to comment
J0n102Options: AC
Dec 4, 2023

A: strongly recommended controls - detects whether the Amazon EBS volumes attached to an Amazon EC2 instance are encrypted C: Best way to encrypt an unencrypted volume

Russs99Options: AC
Dec 9, 2023

the appropriate guardrail is: A Strongly recommended guardrail: Detect Whether Encryption is Enabled for Amazon EBS Volumes Attached to Amazon EC2 Instances. This guardrail continuously monitors your environment and detects any EC2 instances with unencrypted EBS volumes attached

cypkirOptions: AC
Nov 22, 2023

Answer: A C

devalenzuela86
Nov 24, 2023

https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-encrypt-existing-and-new-amazon-ebs-volumes.html Creating a snapshot of each unencrypted volume, creating a new encrypted volume from the unencrypted snapshot, detaching the existing volume, and replacing it with the encrypted volume (Option C) is not required since the volumes can be encrypted in place

heatblur
Nov 25, 2023

The volumes can not be encrypted in place -- see the steps (copy/pasted from the link you shared): 1. AWS Config detects an unencrypted EBS volume. 2. An administrator uses AWS Config to send a remediation command to Systems Manager. 3. The Systems Manager automation takes a snapshot of the unencrypted EBS volume. 4. The Systems Manager automation uses AWS KMS to create an encrypted copy of the snapshot. 5. The Systems Manager automation does the following: Stops the affected EC2 instance if it is running. Attaches the new, encrypted copy of the volume to the EC2 instance. Returns the EC2 instance to its original state. Also, under the Limitations section: "When you remediate existing, unencrypted EBS volumes, ensure that the EC2 instance is not in use. This automation shuts down the instance in order to detach the unencrypted volume and attach the encrypted one. There is downtime while the remediation is in progress."

shaaam80Options: AE
Nov 29, 2023

"and ensure that unencrypted volumes will be detected automatically in the future. " - to automatically detect unencrypted volumes, we need CloudTrail and Eventbridge to detect and encrypt unencrypted volumes automatically.

shaaam80
Dec 6, 2023

Changing to A&C.

tflOptions: AC
Nov 30, 2023

AC for sure. Unencrypted EBS detection is part of strongly recommended guardrails, and you cannot encrypt a volume or snapshot in place. You need to create a new encrypted volume from an unencrypted snapshot, and attach it to the instance.

pic1Options: AE
Nov 29, 2023

"...centrally manage multiple AWS accounts with a focus on compliance and security", and "...ensure that unencrypted volumes will be detected automatically..."

shaaam80Options: AC
Dec 6, 2023

Answer AC

devalenzuela86
Nov 22, 2023

BD for sure

devalenzuela86
Nov 24, 2023

Change to BE Creating an organization in AWS Organizations, setting up AWS Control Tower, and turning on the mandatory controls (guardrails) (Option D) is not required since the strongly recommended controls (guardrails) are sufficient

ayadmawlaOptions: AC
Dec 10, 2023

Answer A+C

career360guruOptions: AC
Jan 10, 2024

Option A & C

kejamOptions: AC
Feb 2, 2024

https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-controls.html#ebs-enable-encryption

vip2Options: AC
Jul 9, 2024

A and C are correct according to https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-controls.html#ebs-enable-encryption