Encrypting EBS Volumes: The Easiest Solution for Data Encryption at Rest
Question
Your company has mandated that all data in AWS be encrypted at rest.
Which of the following options can achieve the requirement for EBS volumes in the easiest way?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - D.
EBS encryption can be enabled when the volume is created and not for existing volumes.
Options A and B are incorrect because the most straightforward method is to encrypt the EBS volume in AWS when an EC2 instance is launched.
There is no need to use other third-party tools.
Option C is incorrect.
AWS Systems Manager is a management service that helps you automatically collect software inventory, apply OS patches, create system images, and configure Windows and Linux operating systems.
It does not help in this scenario.
Option D is CORRECT.
You can choose to encrypt a non-encrypted boot volume on an instance launch.
https://aws.amazon.com/blogs/aws/new-encrypted-ebs-boot-volumes/The easiest way to achieve the requirement of encrypting all data at rest on AWS is to enable EBS encryption during launch. Therefore, the correct answer is D.
Here's an explanation of each option:
A. Use Windows bit locker for EBS volumes on Windows instances: This option is only applicable to Windows instances and requires additional configuration and management. BitLocker is a Microsoft encryption solution and is not native to AWS. Using this option would require setting up and managing a Key Management Service (KMS) in AWS, which can be complex and time-consuming.
B. Use TrueCrypt for EBS volumes on Linux instances: TrueCrypt is an open-source encryption software that is no longer maintained or updated. It is also not natively supported by AWS. Therefore, using this option would require manual installation and configuration, and ongoing maintenance and updates. Furthermore, the use of unsupported and unmaintained software can pose security risks.
C. Use AWS Systems Manager to encrypt the existing EBS volumes: AWS Systems Manager is a service that enables you to manage instances and their configurations at scale. However, it is not designed to encrypt existing EBS volumes. Using this option would require copying the data to a new, encrypted EBS volume, which can be time-consuming and require additional storage costs.
D. Enable EBS encryption during launch: Enabling EBS encryption during launch is the easiest and most straightforward option. It allows you to encrypt the data at rest without requiring any additional configuration or management. When launching a new instance, you can simply select the option to enable EBS encryption. AWS will then automatically create an encrypted EBS volume and attach it to the instance.
In conclusion, the easiest and most straightforward way to achieve the requirement of encrypting all data at rest on AWS is to enable EBS encryption during launch, making answer D the correct option.
