An existing application stores sensitive information on a non-boot Amazon EBS data volume attached to an
Amazon Elastic Compute Cloud instance. Which of the following approaches would protect the sensitive data
on an Amazon EBS volume?
A.
Upload your customer keys to AWS CloudHSM. Associate the Amazon EBS volume with AWS CloudHSM. Remount the Amazon EBS volume.
B.
Create and mount a new, encrypted Amazon EBS volume. Move the data to the new volume. Delete the old
Amazon EBS volume.
C.
Unmount the EBS volume. Toggle the encryption attribute to True. Re-mount the Amazon EBS volume.
D.
Snapshot the current Amazon EBS volume. Restore the snapshot to a new, encrypted Amazon EBS volume.
Mount the Amazon EBS volume
I would say ‘B’ is the right answer as option ‘D’ doesn’t provide a vital step in the process.
ref: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
Extract:
Apply Encryption While Copying a Snapshot
Because you can apply encryption to a snapshot while copying it, another path to encrypting your data is the following procedure.
To encrypt a volume’s data by means of snapshot copying
Create a snapshot of your unencrypted EBS volume. This snapshot is also unencrypted.
==> Copy the snapshot while applying encryption parameters. The resulting target snapshot is encrypted.
Restore the encrypted snapshot to a new volume, which is also encrypted.
You’re right. You can’t make encrypted EBS volume from unencrypted snapshot.
D
D is correct answer.Because if you mount with new mount point name then your application or Db may go down.Also manual moving of sensitive date miss the links etc..
Try it D is not a valid option if the snapshot is not encrypted you cant make a encrypted volume out of it. only option is to make a new encrypted volume and then copy the data. As Tom said B is correct option.
answer is d
Existing unencrypted volumes cannot be encrypted directly, but can be migrated by ◾create a unencrpted snaphot from the volume
◾create an encrypted copy of unecrypted snaphot
◾create an encrypted volume from the encrypted snaphot
•Encrpted snapshot can be created from a unecrypted snapshot by create an encrypted copy of the unencrpted snaphot
•Unecrypted volume cannot be created from an encrypted volume directly but needs to be migrated
Hey Guys,
I have create a LAB to check it. D is correct. The procedure is as follows:
1. Unmount the volume
2. Create a unencrypted snapshot of the volume
3. Copy the snapshot to another snapshot with encryption enabled. Now you have an encrypted version snapshot copy of the original volume
4. create a new volume from the encrypted version of snapshot
5. mount the new volume to the instance
Correct Answer seems B based of this article :
https://aws.amazon.com/blogs/aws/protect-your-data-with-new-ebs-encryption
Still unsure about the answer, thanks for the article link
Answer is 100% D.
D.Snapshot the current Amazon EBS volume. Restore the snapshot to a new, encrypted Amazon EBS volume.
Mount the Amazon EBS volume
Changing the Encryption State of Your Data
While copying an unencrypted snapshot of an unencrypted volume, you can encrypt the copy. Volumes restored from this encrypted copy will also be encrypted.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_supported_instances
D is only feasible if you encrypt the snapshot before restoring. But the choice did not state whether it has encrypted the snapshot.
B is clearly a correct method.
In this case, B seems more like a correct answer.
B IS Correct answer
D does not mention removing the volume that the concern surrounds. Therefore B seems the answer? Both B and D will work but B ticks all the boxes.
D is my answer
I think D is not correct because to encrypt a snapshot you have to copy it. Here the answer propose :
>>> Snapshot the current Amazon EBS volume. Restore the snapshot to a new, encrypted Amazon EBS volume.
Mount the Amazon EBS volume
instead of:
>>> Snapshot the current Amazon EBS volume. Copy the snapshot to a new encrypted one in the same region. Restore the snapshot to a new, encrypted Amazon EBS volume.
So, I think the good answer, either its not a very pretty solution is B.
No links, just try on AWS console.
The word here is protect sensitive Data, the reason why D is not the correct answer is because after coyping the data there is no mention or removing the source data. It remains at risk unless deleted
Correct answer is B
D
B is my choice.
D is 100% incorrect
Snapshot the current Amazon EBS volume – this won’t be encrypted. Restore the snapshot to a new, encrypted Amazon EBS volume – this can’t be done.
D has issues due to missing steps:
– Snapshot of the current EBS volume is unencrypted and needs to be copied to an encrypted snapshot before resting
– Current EBS volume needs to be deleted after new one is mounted
Option B doesn’t have this issues, so it is the right answer.
Also see Amazon’s recommendation here:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
To migrate data between encrypted and unencrypted volumes
1. Create your destination volume (encrypted or unencrypted, depending on your need) by following the procedures in Creating an Amazon EBS Volume.
2. Attach the destination volume to the instance that hosts the data to migrate. For more information, see Attaching an Amazon EBS Volume to an Instance.
3. Make the destination volume available by following the procedures in Making an Amazon EBS Volume Available for Use. For Linux instances, you can create a mount point at /mnt/destination and mount the destination volume there.
4. Copy the data from your source directory to the destination volume. It may be most convenient to use a bulk-copy utility for this.
B is the right answer.
B
http://www.n2ws.com/how-to-guides/migrate-to-encrypted-ebs-volume.html
I agree D is missing important steps. Here are the steps to encrypt a volume’s data by means of snapshot copying:
1. Create a snapshot of your unencrypted EBS volume. This snapshot is also unencrypted.
2. Copy the snapshot while applying encryption parameters. The resulting target snapshot is encrypted.
3. Restore the encrypted snapshot to a new volume, which is also encrypted.
So, the missing steps from D are step number 2 and the deletion of the original volume.
The main concern I have with B is the word ‘Move’. As Muhtu said, if something happen during the move, data may be lost.
So, it seems like B is best choice out of the given solutions.
D is correct, it’s more secure and reliable than B. You don’t have to literally ‘move’ data.
D is correct
B, agreed with “Cloud Ninja”, D did not delete the original data
B is the answer
1> You cannot create an encrypted volume from a snapshot of an unencrypted volume unless you do one step in between as Tom said.
2> This intermediate step of creating copy of snapshot is not there in D so B is the only feasible answer.
The answer is 100% B.
If answer D was correct one would need to copy the snapshot while applying encryption parameters resulting in the target snapshot being encrypted. See below docs.
Changing the Encryption State of Your Data
There is no direct way to encrypt an existing unencrypted volume, or to remove encryption from an encrypted volume. However, you can migrate data between encrypted and unencrypted volumes. You can also apply a new encryption status while copying a snapshot:
While copying an unencrypted snapshot of an unencrypted volume, you can encrypt the copy. Volumes restored from this encrypted copy will also be encrypted.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
From the same article
Apply Encryption While Copying a Snapshot
Because you can apply encryption to a snapshot while copying it, another path to encrypting your data is the following procedure.
To encrypt a volume’s data by means of snapshot copying
Create a snapshot of your unencrypted EBS volume. This snapshot is also unencrypted.
Copy the snapshot while applying encryption parameters. The resulting target snapshot is encrypted.
Restore the encrypted snapshot to a new volume, which is also encrypted.
B is correct! B is right way to do.
D. “Encrypted amazon EBS volume” =>no way to encrypt existed EBS or create new encrypted EBS from un-encrypt snapshot.
B
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
Extract:Apply Encryption While Copying a Snapshot
Because you can apply encryption to a snapshot while copying it, another path to
encrypting your data is the following procedure.
To encrypt a volume’s data by means of snapshot copying
Create a snapshot of your unencrypted EBS volume. This snapshot is also unencrypted.
Copy the snapshot while applying encryption parameters. The resulting target snapshot is
encrypted.
Restore the encrypted snapshot to a new volume, which is also encrypted.
B.
Create and mount a new, encrypted Amazon EBS volume. Move the data to the new volume. Delete the old Amazon EBS volume.
Both B and D could be considered correct, though I agree with those saying D has some missing steps, that is the short hand version of how to do it. And, several others posted directly to AWS documentation as to why B is correct. REMEMBER, you are looking for the answer AMAZON is saying is correct. In this case, it’s B.
B