Home » Amazon » AWS Certified Solutions Architect - Associate » Which of the following approaches would protect the sensitive data on an Amazon EBS volume?
An existing application stores sensitive information on a non-boot Amazon EBS data volume attached to an Amazon Elastic Compute Cloud instance. Which of the following approaches would protect the sensitive data on an Amazon EBS volume?
A. Upload your customer keys to AWS CloudHSM Associate the Amazon EBS volume with AWS CloudHSM Re-mount the Amazon EBS volume.
B. Create and mount a new, encrypted Amazon EBS volume. Move the data to the new volume. Delete the old Amazon EBS volume.
C. Unmount the EBS volume. Toggle the encryption attribute to True. Re-mount the Amazon EBS volume.
D. Snapshot the current Amazon EBS volume. Restore the snapshot to a new, encrypted Amazon EBS volume. Mount the Amazon EBS volume
Correct Answer: B
Explanation/Reference:
Explanation:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html To migrate data between encrypted and unencrypted volumes:
1.Create your destination volume (encrypted or unencrypted, depending on your need) by following the procedures in Creating an Amazon EBS Volume.
2.Attach the destination volume to the instance that hosts the data to migrate. For more information, see Attaching an Amazon EBS Volume to an Instance. procedures in Making an Amazon EBS Volume Available for Using. For Linux instances, you can create a mount point at /mnt/destination and mount the destination volume there. 4. Copy the data from your source directory to the destination volume. It may be most convenient to use a bulk-copy utility for this.
B and D are close , I will go with B because you can move data between encrypted and unencrypted volumes through sync command
“When you have access to both an encrypted and unencrypted volume, you can freely transfer data between them. EC2 carries out the encryption and decryption operations transparently.
For example, use the rsync command to copy the data.”
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#migrate-data-encrypted-unencrypted
Option D does not talk about the old Amazon EBS volume and therefore it is not a valid option.
I would say D too
D would have been correct i would have talked about creating an encrypted snapshot from unencrypted snapshot. Which is missing link here & therefore B is the ideal answer. Further, refer to the blog:
https://n2ws.com/blog/how-to-guides/migrate-to-encrypted-ebs-volume
which is exactly same case.
Option D is also a valid option here.