A user is trying to launch an EBS backed EC2 instance under free usage. The user wants to achieve
encryption of the EBS volume. How can the user encrypt the data at rest?
A.
Use AWS EBS encryption to encrypt the data at rest
B.
The user cannot use EBS encryption and has to encrypt the data manually or using a third party tool
C.
The user has to select the encryption enabled flag while launching the EC2 instance
D.
Encryption of volume is not available as a part of the free usage tier
Explanation:
AWS EBS supports encryption of the volume while creating new volumes. It supports encryption of the data at
rest, the I/O as well as all the snapshots of the EBS volume. The EBS supports encryption for the selected
instance type and the newer generation instances, such as m3, c3, cr1, r3, g2. It is not supported with a micro
instance.
B is incorrect
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_supported_instances
No answer is here as I think, Now you could have encrypted boot volumes through AMIs
– Copy unencrypted AMI with encryption flag, from the newly created encrypted AMI you could simply launch a new instance with an encrypted boot volume
https://aws.amazon.com/blogs/aws/new-encrypted-ebs-boot-volumes/
If you follow the launch instance steps for free tier, you’ll notice that you can’t chose encryption on the disk page.
B. is correct, if you want encryption, you’ll need to do it yourself at free tier.
No one check what the question is asked “free tier”, so only micro instances are eligible on free tire. Other instances can be use but not part of the free tier.
So answer is B. Need to use third party software.
Sorry I think the answer is A. Because t2.micro is supporting encryption for ebs volumes.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
Answer is C , there is option to enable encryption flag when you select new disk (EBS) while launching the EC2 instance .
Correct is B because a free usage instances are t2.micro and these instances types aren´t support by Amazon EBS Encryption.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
Correct
t2.micro is supported now
A and C are the same answer using different words.
D is false so the only answer left is B
A. false, Cannot encrypt the boot volume but can encrypt additional volumes.
B. True, third party tools will work
C. false, Cannot encrypt the boot volume but can encrypt additional volumes.
D. false, now available to all instances encrypt additional volumes
check out: Instance types that support Amazon EBS encryption
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_supported_instances
The answer WAS supposed to be B.
update – on 15 DEC 2015, official New – Encrypted EBS Boot Volumes.
update – Richard@AWS Posted on: Sep 24, 2015 7:39 AM, We are currently adding support for encryption for some additional instance types, including the t2.micro.
update – current official document supports: |…|t2.nano | t2.micro | t2.small |…|
I agree with AWSMIND that it is B.
All his points are valid.
B
There is no direct way to encrypt an existing unencrypted volume, or to remove encryption from an encrypted volume. However, you can migrate data between encrypted and unencrypted volumes. You can also apply a new encryption status while copying a snapshot:
While copying an unencrypted snapshot of an unencrypted volume, you can encrypt the copy. Volumes restored from this encrypted copy will also be encrypted.
While copying an encrypted snapshot of an encrypted volume, you can re-encrypt the copy using a different CMK. Volumes restored from the encrypted copy will only be accessible using the newly applied CMK.
b
The right answer is C , since you can have encrypted volumes with free tier and boot drives.
for t2.micro encrypted boot volumes are still not supported, only data volumes can be encrypted
B
While launching a new instance, you will choose a snapshot as the root device. Volumes that are created from encrypted snapshots are automatically encrypted, and volumes that are created from unencrypted snapshots are automatically unencrypted. If no snapshot is selected, you can choose to encrypt the volume.
Thus, the user can’t make it encrypted it the snapshot is not encrypted. If the user wants to encrypt the volume, he has to do it manually, e.g., copy an existing snapshot and encrypt it, then launch the instance based on that snapshot.
So the answer is B
Supported Instance Types
Amazon EBS encryption is available on the instance types listed in the table below. These instance types leverage the Intel AES New Instructions (AES-NI) instruction set to provide faster and simpler data protection. You can attach both encrypted and unencrypted volumes to these instance types simultaneously.
Instance family Instance types that support Amazon EBS encryption
General purpose
m3.medium | m3.large | m3.xlarge | m3.2xlarge | m4.large | m4.xlarge | m4.2xlarge | m4.4xlarge | m4.10xlarge | m4.16xlarge | t2.nano | t2.micro | t2.small | t2.medium | t2.large | t2.xlarge | t2.2xlarge
Compute optimized
c4.large | c4.xlarge | c4.2xlarge | c4.4xlarge | c4.8xlarge | c3.large | c3.xlarge | c3.2xlarge | c3.4xlarge | c3.8xlarge
Memory optimized
cr1.8xlarge | r3.large | r3.xlarge | r3.2xlarge | r3.4xlarge | r3.8xlarge | r4.large | r4.xlarge | r4.2xlarge | r4.4xlarge | r4.8xlarge | r4.16xlarge | x1.16xlarge | x1.32xlarge
Storage optimized
d2.xlarge | d2.2xlarge | d2.4xlarge | d2.8xlarge | i2.xlarge | i2.2xlarge | i2.4xlarge | i2.8xlarge | i3.large | i3.xlarge | i3.2xlarge | i3.4xlarge | i3.8xlarge | i3.16xlarge
Accelerated computing
f1.2xlarge | f1.16xlarge | g2.2xlarge | g2.8xlarge | g3.4xlarge | g3.8xlarge | g3.16xlarge | p2.xlarge | p2.8xlarge | p2.16xlarge
Answer is “A”
A.
Use AWS EBS encryption to encrypt the data at rest
(Encryption is allowed on micro instances)
User cannot use EBS encryption and has to encrypt the data manually or using a third party tool
(Encryption was not allowed on micro instances before)