You just joined a company as an AWS specialist. You check your teams’ AWS account and have found that a large number of EBS volumes are not encrypted. However, the company’s security policy mandates that all attached EBS volumes must be encrypted with a specified KMS key. You need a service to automatically check whether attached EBS volumes are encrypted and send the weekly reports to your team. Choose the easiest method from the following options.

Answer options:

A.In AWS Config, add the AWS managed rule “ec2-ebs-encryption-by-default” to check if EBS volumes are encrypted.
B.Configure a CloudWatch Event rule for the volume attaching event with a Lambda function to check if the attached volumes are encrypted.
C.Enable AWS Inspector for EBS volumes and include the rule package of “Security Best Practices-1.0”.
D.In AWS Config, add the AWS managed rule “encrypted-volumes” to check the encryption status of EBS volumes.

Correct Answer: D
Option A is incorrect because the AWS managed rule “ec2-ebs-encryption-by-default” checks if EBS encryption is enabled by default. It does not evaluate whether EBS volumes are encrypted or not.
Option B is incorrect because the CloudWatch Event rule is triggered for the volume attaching event. It does not check the existing attached volumes’ encryption status.
Option C is incorrect because the rule package of “Security Best Practices-1.0” does not include the check for EBS encryption.
Option D is CORRECT because, in AWS Config, the AWS managed rule “encrypted-volumes” can easily check if EBS volumes are encrypted with a KMS key.
Reference:
https://docs.aws.amazon.com/config/latest/developerguide/encrypted-volumes.html