An existing application stores sensitive information on a non-boot Amazon EBS data volume
attached to an Amazon Elastic Compute Cloud instance. Which of the following approaches
would protect the sensitive data on an Amazon EBS volume?
A.
Upload your customer keys to AWS CloudHSM. Associate the Amazon EBS volume with AWS
CloudHSM. Re-mount the Amazon EBS volume.
B.
Create and mount a new, encrypted Amazon EBS volume. Move the data to the new volume.
Delete the old Amazon EBS volume.
C.
Unmount the EBS volume. Toggle the encryption attribute to True. Re-mount the Amazon EBS
volume.
D.
Snapshot the current Amazon EBS volume. Restore the snapshot to a new, encrypted Amazon
EBS volume. Mount the Amazon EBS volume
Explanation:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
To migrate data between encrypted and unencrypted volumes
1. Create your destination volume (encrypted or unencrypted, depending on your need) by
following the procedures in Creating an Amazon EBS Volume.
2. Attach the destination volume to the instance that hosts the data to migrate. For more
information, see Attaching an Amazon EBS Volume to an Instance.
3. Make the destination volume available by following the procedures in Making an Amazon
EBS Volume Available for Use. For Linux instances, you can create a mount point at
/mnt/destination and mount the destination volume there.
4. Copy the data from your source directory to the destination volume. It may be most
convenient to use a bulk-copy utility for this.
D is also correct:–>
To encrypt a volume’s data by means of snapshot copying
Create a snapshot of your unencrypted EBS volume. This snapshot is also unencrypted.
Copy the snapshot while applying encryption parameters. The resulting target snapshot is encrypted.
Restore the encrypted snapshot to a new volume, which is also encrypted.
That’s correct, but there is no “copy” operation in D.
You can not create encrypted volumes from unencrypted. D is wrong