Your team has completed development of an application.
Now, this needs to be deployed to an application on an EC2 Instance.
The Application data will be stored on a separate volume which needs to be encrypted at rest.
How can you ensure this requirement is met?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A.
The AWS Documentation mentions the following.
Amazon EBS encryption uses AWS Key Management Service (AWS KMS) customer master keys (CMKs) when creating encrypted volumes and any snapshots created from them.
A unique AWS-managed CMK is created for you automatically in each region where you store AWS assets.
This key is used for Amazon EBS encryption.
Option B is incorrect since Encryption is possible on all EBS volume types.
Option C is incorrect because encryption of an EBS volume can be done without generating a CMK in the console.
Option D is incorrect since you need to create the Encryption Key in the KMS service.
For more information on EBS Encryption, please refer to the below Link-
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.htmlTo ensure that the data stored on a separate volume is encrypted at rest when deploying an application on an EC2 instance, the following steps can be taken:
A. Ensure that Encryption is enabled during volume creation time: When creating the volume for the EC2 instance, select the option to enable encryption. This will ensure that all data written to the volume is encrypted at rest. However, this alone may not be sufficient to ensure the security of the data, as the encryption key may not be protected adequately.
B. Ensure to use Throughput Optimized HDD to allow for Encryption: This option is incorrect. The type of EBS volume used has no impact on the ability to encrypt the data at rest. All EBS volume types support encryption, and the encryption process is performed at the software level, rather than the hardware level.
C. Create a Customer master key in the KMS service: Create a customer master key (CMK) in the AWS Key Management Service (KMS) service. This key can be used to encrypt the volume, ensuring that only authorized users can access the data. The CMK is a cryptographic key that is used to encrypt and decrypt data. Once the key is created, it can be used to encrypt the volume.
D. Create an EBS Encryption Key: This option is incorrect. An EBS encryption key is used to encrypt the data stored on an EBS volume. However, it is not sufficient to ensure the encryption of the data at rest on a separate volume attached to an EC2 instance. A CMK should be used instead.
In summary, to ensure that the data stored on a separate volume attached to an EC2 instance is encrypted at rest, the recommended approach is to create a CMK in the KMS service and use it to encrypt the volume during creation.