AWS Certified Security – Specialty SCS-C01 – Question157 - AWS Certified Security

Auditors for a health care company have mandated that all data volumes by encrypted at rest. Infrastructure is deployed mainly via AWS CloudFormation: however, third-party frameworks and manual deployment are required on some legacy systems.
What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

A. On a recurring basis, update all IAM user policies to require that EC2 instances are created with an encrypted volume.
B. Configure an AWS Config rule to run on a recurring basis for volume encryption.
C. Set up Amazon Inspector rules for volume encryption to run on a recurring schedule.
D. Use CloudWatch Logs to determine whether instances were created with an encrypted volume.

Correct Answer: B

Explanation:

Explanation: Using AWS Config Rules, you can run continuous assessment checks on your resources to verify that they comply with your own security policies, industry best practices, and compliance regimes such as PCI/HIPAA. For example, AWS Config provides a managed AWS Config Rules to ensure that encryption is turned on for all EBS volumes in your account. You can also write a custom AWS Config Rule to essentially “codify” your own corporate security policies. AWS Config alerts you in real time when a resource is misconfigured, or when a resource violates a particular security policy. Reference: https://d1.awsstatic.com/whitepapers/aws-security-whitepaper.pdf