Domain 1.2: Security Controls — AWS SAP-C02 Practice Question 66

How to approach this question

Use SCPs to proactively enforce specific parameters (like a KMS key ARN) during resource creation.

Full Answer

D.Create an SCP that denies ec2:CreateVolume if the request does not specify the central CMK ARN.✓ Correct

Service Control Policies (SCPs) can enforce not just that encryption is used, but that a *specific* KMS key is used. By denying the ec2:CreateVolume action unless the request includes the ARN of the central CMK, compliance is mathematically guaranteed.

Common mistakes

Enforcing encryption generally, but forgetting to enforce the specific key.

A company is using AWS Control Tower. They want to ensure that all EBS volumes created in any member account are encrypted with a specific AWS KMS Customer Managed Key (CMK) owned by a central Security account. What is the MOST robust way to enforce this?

How to approach this question

Full Answer

Common mistakes

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 4

More questions from this exam