Topic 1 Question 419
2 つ選択A company uses AWS Organizations with all features enabled and runs multiple Amazon EC2 workloads in the ap-southeast-2 Region. The company has a service control policy (SCP) that prevents any resources from being created in any other Region. A security policy requires the company to encrypt all data at rest.
An audit discovers that employees have created Amazon Elastic Block Store (Amazon EBS) volumes for EC2 instances without encrypting the volumes. The company wants any new EC2 instances that any IAM user or root user launches in ap-southeast-2 to use encrypted EBS volumes. The company wants a solution that will have minimal effect on employees who create EBS volumes.
Which combination of steps will meet these requirements?
In the Amazon EC2 console, select the EBS encryption account attribute and define a default encryption key.
Create an IAM permission boundary. Attach the permission boundary to the root organizational unit (OU). Define the boundary to deny the ec2:CreateVolume action when the ec2:Encrypted condition equals false.
Create an SCP. Attach the SCP to the root organizational unit (OU). Define the SCP to deny the ec2:CreateVolume action whenthe ec2:Encrypted condition equals false.
Update the IAM policies for each account to deny the ec2:CreateVolume action when the ec2:Encrypted condition equals false.
In the Organizations management account, specify the Default EBS volume encryption setting.
ユーザの投票
コメント(6)
- 正解だと思う選択肢: CE
CE Prevent future issues by creating a SCP and set a default encryption.
👍 4Axaus2023/05/17 - 正解だと思う選択肢: CE
SCP that denies the ec2:CreateVolume action when the ec2:Encrypted condition equals false. This will prevent users and service accounts in member accounts from creating unencrypted EBS volumes in the ap-southeast-2 Region.
👍 2nosense2023/05/15 - 正解だと思う選択肢: CE
CE for me as well
👍 2Efren2023/05/16
シャッフルモード