An existing application stores sensitive information on a non-boot Amazon EBS data volume attached to an
Amazon Elastic Compute Cloud instance. Which of the following approaches would protect the sensitive data
on an Amazon EBS volume?
A.
Upload your customer keys to AWS CloudHSM. Associate the Amazon EBS volume with AWS CloudHSM.
Re-mount the Amazon EBS volume.
B.
Create and mount a new, encrypted Amazon EBS volume. Move the data to the new volume. Delete the oldAmazon EBS volume.
C.
Unmount the EBS volume. Toggle the encryption attribute to True. Re-mount the Amazon EBS volume.
D.
Snapshot the current Amazon EBS volume. Restore the snapshot to a new, encrypted Amazon EBS
volume. Mount the Amazon EBS volume
Explanation:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html To migrate data between
encrypted and unencrypted volumes:
1. Create your destination volume (encrypted or unencrypted, depending on your need) by following the
procedures in Creating an Amazon EBS Volume.
2. Attach the destination volume to the instance that hosts the data to migrate. For more information, see
Attaching an Amazon EBS Volume to an Instance.
procedures in Making an Amazon EBS Volume Available for Using. For Linux instances, you can create a
mount point at /mnt/destination and mount the destination volume there.
4. Copy the data from your source directory to the destination volume. It may be most convenient to use a bulkcopy utility for this.
D is correct answer I think.
I think so. What is the difference any way between B and D?
B is correct for reasons stated below
Oh, D is wrong because you cannot restore a unencrypted snapshot to an encrypted EBS. Here is the steps from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
To encrypt a volume’s data by means of snapshot copying
Create a snapshot of your unencrypted EBS volume. This snapshot is also unencrypted.
Copy the snapshot while applying encryption parameters. The resulting target snapshot is encrypted.
Restore the encrypted snapshot to a new volume, which is also encrypted.
For more information, see Copying an Amazon EBS Snapshot.
B
Yes, I agree with D.. why? see below
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
To encrypt a volume’s data by means of snapshot copying
Create a snapshot of your unencrypted EBS volume. This snapshot is also unencrypted.
Copy the snapshot while applying encryption parameters. The resulting target snapshot is encrypted.
Restore the encrypted snapshot to a new volume, which is also encrypted.
I think D desn’t delete the original volmun