SAP-C02 第 518 题
题目
A company has deployed applications to thousands of Amazon EC2 instances in an AWS account. A security audit discovers that several unencrypted Amazon Elastic Block Store (Amazon EBS) volumes are attached to the EC2 instances. The company’s security policy requires the EBS volumes to be encrypted. The company needs to implement an automated solution to encrypt the EBS volumes. The solution also must prevent development teams from creating unencrypted EBS volumes. Which solution will meet these requirements?
中文翻译:
一家公司已将应用程序部署到 AWS 账户中的数千个 Amazon EC2 实例。安全审核发现多个未加密的 Amazon Elastic Block Store (Amazon EBS) 卷附加到 EC2 实例。该公司的安全策略要求对 EBS 卷进行加密。该公司需要实施自动化解决方案来加密 EBS 卷。该解决方案还必须防止开发团队创建未加密的 EBS 卷。哪种解决方案可以满足这些要求?
选项
A. Configure the AWS Config managed rule that identifies unencrypted EBS volumes. Configure an automatic remediation action. Associate an AWS Systems Manager Automation runbook that includes the steps to create a new encrypted EBS volume. Create an AWS Key Management Service (AWS KMS) customer managed key. In the key policy, include a statement to deny the creation of unencrypted EBS volumes.
中文翻译:
配置识别未加密 EBS 卷的 AWS Config 托管规则。配置自动修复操作。关联 AWS Systems Manager Automation Runbook,其中包含创建新加密 EBS 卷的步骤。创建 AWS Key Management Service (AWS KMS) 客户管理的密钥。在密钥策略中,包含一条拒绝创建未加密的 EBS 卷的语句。
B. Use AWS Systems Manager Fleet Manager to create a list of unencrypted EBS volumes, Create a Systems Manager Automation runbook that includes the steps to create a new encrypted EBS volume. Create an SCP to deny the creation of unencrypted EBS volumes.
中文翻译:
使用 AWS Systems Manager 队列管理器创建未加密 EBS 卷的列表,创建 Systems Manager Automation Runbook,其中包含创建新加密 EBS 卷的步骤。创建 SCP 以拒绝创建未加密的 EBS 卷。
C. Use AWS Systems Manager Fleet Manager to create a list of unencrypted EBS volumes. Create a Systems Manager Automation runbook that includes the steps to create a new encrypted EBS volume. Modify the AWS account setting for EBS encryption to always encrypt new EBS volumes.
中文翻译:
使用 AWS Systems Manager 队列管理器创建未加密的 EBS 卷的列表。创建 Systems Manager Automation Runbook,其中包括创建新的加密 EBS 卷的步骤。修改 EBS 加密的 AWS 账户设置以始终加密新的 EBS 卷。
D. Configure the AWS Config managed rule that identifies unencrypted EBS volumes. Configure an automatic remediation action. Associate an AWS Systems Manager Automation runbook that includes the steps to create a new encrypted EBS volume. Modify the AWS account setting for EBS encryption to always encrypt new EBS volumes.
中文翻译:
配置识别未加密 EBS 卷的 AWS Config 托管规则。配置自动修复操作。关联 AWS Systems Manager Automation Runbook,其中包含创建新加密 EBS 卷的步骤。修改 EBS 加密的 AWS 账户设置以始终加密新的 EBS 卷。
答案
D
解析
正确答案:D 解析: 本题应选择 D。 正确选项: D. 配置识别未加密 EBS 卷的 AWS Config 托管规则。配置自动修复操作。关联 AWS Systems Manager Automation Runbook,其中包含创建新加密 EBS 卷的步骤。修改 EBS 加密的 AWS 账户设置以始终加密新的 EBS 卷。 选择理由: 该选项最直接地满足题干中的关键约束。做 SAP-C02 题目时,需要同时对照题干里的限定词,例如最高...