SAP-C02 第 370 题
题目
A company has multiple AWS accounts. The company recently had a security audit that revealed many unencrypted Amazon Elastic Block Store (Amazon EBS) volumes attached to Amazon EC2 instances. A solutions architect must encrypt the unencrypted volumes and ensure that unencrypted volumes will be detected automatically in the future. Additionally, the company wants a solution that can centrally manage multiple AWS accounts with a focus on compliance and security. Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)
中文翻译:
一家公司拥有多个 AWS 账户。该公司最近进行了一次安全审计,发现许多附加到 Amazon EC2 实例的未加密 Amazon Elastic Block Store (Amazon EBS) 卷。解决方案架构师必须对未加密的卷进行加密,并确保将来能够自动检测到未加密的卷。此外,该公司希望有一个解决方案能够集中管理多个 AWS 账户,并重点关注合规性和安全性。解决方案架构师应该采取哪些步骤组合来满足这些要求? (选择两个。)
选项
A. Create an organization in AWS Organizations. Set up AWS Control Tower, and turn on the strongly recommended controls (guardrails). Join all accounts to the organization. Categorize the AWS accounts into OUs.
中文翻译:
在 AWS Organizations 中创建组织。设置 AWS Control Tower,并打开强烈推荐的控件(护栏)。将所有帐户加入组织。将 AWS 账户分类为 OU。
B. Use the AWS CLI to list all the unencrypted volumes in all the AWS accounts. Run a script to encrypt all the unencrypted volumes in place.
中文翻译:
使用 AWS CLI 列出所有 AWS 账户中的所有未加密卷。运行脚本以加密所有未加密的卷。
C. Create a snapshot of each unencrypted volume. Create a new encrypted volume from the unencrypted snapshot. Detach the existing volume, and replace it with the encrypted volume.
中文翻译:
创建每个未加密卷的快照。从未加密的快照创建新的加密卷。分离现有卷,并将其替换为加密卷。
D. Create an organization in AWS Organizations. Set up AWS Control Tower, and turn on the mandatory controls (guardrails). Join all accounts to the organization. Categorize the AWS accounts into OUs.
中文翻译:
在 AWS Organizations 中创建组织。设置 AWS Control Tower,并启用强制控制(护栏)。将所有帐户加入组织。将 AWS 账户分类为 OU。
E. Turn on AWS CloudTrail. Configure an Amazon EventBridge rule to detect and automatically encrypt unencrypted volumes.
中文翻译:
打开 AWS CloudTrail。配置 Amazon EventBridge 规则以检测并自动加密未加密的卷。
答案
AC
解析
正确答案:AC 解析: 本题应选择 AC。 正确选项: A. 在 AWS Organizations 中创建组织。设置 AWS Control Tower,并打开强烈推荐的控件(护栏)。将所有帐户加入组织。将 AWS 账户分类为 OU。 C. 创建每个未加密卷的快照。从未加密的快照创建新的加密卷。分离现有卷,并将其替换为加密卷。 选择理由: 该选项最直接地满足题干中的关键约束。做 SAP-C02 题目时,需要同时对照题干里的限定词,例如...