Your company has a set of EBS volumes defined in AWS.
The security mandate is that all EBS volumes are encrypted.
What would be the most efficient way to notify the IT admin if there are any unencrypted volumes in the account?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: B.
Options A is incorrect because AWS Inspector cannot be used to check if EBS volumes are encrypted.
Option B is CORRECT because the encrypted-volumes config rule for AWS Config can be used to check for unencrypted volumes.
Options C is incorrect because AWS GuardDuty cannot be used to check if EBS volumes are encrypted.
Option D is incorrect because even though this is possible, trying to implement the solution along with just the Lambda service would not be as efficient as the AWS Config rule.
For more information on AWS Config and encrypted volumes, kindly refer to the below URL:
https://docs.aws.amazon.com/config/latest/developerguide/ec2-ebs-encryption-by-default.htmlThe most efficient way to notify the IT admin if there are any unencrypted EBS volumes in the account is to use AWS Config.
AWS Config provides a way to assess, audit, and evaluate the configuration of AWS resources continuously. It enables you to track changes to resources and evaluate resource configurations for compliance with organizational standards and industry best practices. You can define rules to check for specific configurations and track compliance over time.
To check for unencrypted EBS volumes using AWS Config, you can create a custom rule that evaluates the encryption status of EBS volumes. The rule can be set up to check for any EBS volumes that are not encrypted and send a notification to the IT admin.
AWS Inspector is a security assessment service that helps you test the network accessibility of your EC2 instances and the security state of your applications. It is not designed to evaluate the encryption status of EBS volumes.
AWS GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior in your AWS accounts. It is not designed to evaluate the encryption status of EBS volumes.
AWS Lambda is a serverless compute service that allows you to run code in response to events and automatically manages the underlying compute resources. While it is possible to use AWS Lambda to check for unencrypted EBS volumes, it would require more configuration and maintenance compared to using AWS Config, which is specifically designed for evaluating resource configurations.
Therefore, the most efficient way to notify the IT admin if there are any unencrypted EBS volumes in the account is to use AWS Config to check for unencrypted EBS volumes.