You just joined a company as an AWS specialist.
You check your teams' AWS account and have found that a large number of EBS volumes are not encrypted.
However, the company's security policy mandates that all attached EBS volumes must be encrypted with a specified KMS key.
You need a service to automatically check whether attached EBS volumes are encrypted and send the weekly reports to your team.
Choose the easiest method from the following options.
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: D.
Option A is incorrect because the AWS managed rule “ec2-ebs-encryption-by-default” checks if EBS encryption is enabled by default.
It does not evaluate whether EBS volumes are encrypted or not.
Option B is incorrect because the CloudWatch Event rule is triggered for the volume attaching event.
It does not check the existing attached volumes' encryption status.
Option C is incorrect because the rule package of “Security Best Practices-1.0” does not include the check for EBS encryption.
Option D is CORRECT because, in AWS Config, the AWS managed rule “encrypted-volumes” can easily check if EBS volumes are encrypted with a KMS key.
Reference:
https://docs.aws.amazon.com/config/latest/developerguide/encrypted-volumes.htmlThe easiest method to automatically check whether attached EBS volumes are encrypted and send weekly reports to your team is to use AWS Config with the AWS managed rule "encrypted-volumes". Option D is the correct answer.
AWS Config is a service that provides a detailed view of the configuration of AWS resources and can be used to monitor and evaluate compliance. AWS Config rules are pre-built, customizable rules that evaluate the configuration of AWS resources based on best practices and compliance standards. AWS managed rules are pre-built rules that are designed and maintained by AWS.
Option A suggests using AWS Config with the AWS managed rule "ec2-ebs-encryption-by-default" to check if EBS volumes are encrypted. This rule checks if the encryption by default is enabled for EBS volumes in the AWS account. However, this rule does not check the encryption status of already attached EBS volumes, so it is not the best option for this scenario.
Option B suggests configuring a CloudWatch Event rule for the volume attaching event with a Lambda function to check if the attached volumes are encrypted. While this option is technically possible, it requires more effort and maintenance than option D. Additionally, the CloudWatch Event rule would need to be configured to trigger the Lambda function for each instance, which may not be practical in a large environment.
Option C suggests enabling AWS Inspector for EBS volumes and including the rule package of "Security Best Practices-1.0". While AWS Inspector can be used to evaluate the security of EC2 instances and EBS volumes, it is not the best option for this scenario as it requires more configuration and may not provide the desired level of detail.
Option D suggests using AWS Config with the AWS managed rule "encrypted-volumes" to check the encryption status of EBS volumes. This rule evaluates if EBS volumes are encrypted and can send weekly reports to the team if the volumes are not encrypted. This option is the easiest and most straightforward method to meet the requirement in the scenario presented.