PrepAway - Latest Free Exam Questions & Answers

How can you secure data at rest on an EBS volume?

How can you secure data at rest on an EBS volume?

PrepAway - Latest Free Exam Questions & Answers

A.
Attach the volume to an instance using EC2’s SSL interface.

B.
Write the data randomly instead of sequentially.

C.
Encrypt the volume using the S3 server-side encryption service.

D.
Create an IAM policy that restricts read and write access to the volume.

E.
Use an encrypted file system on top of the EBS volume.

Explanation:

https://aws.amazon.com/blogs/aws/protect-your-data-with-new-ebs-encryption/

22 Comments on “How can you secure data at rest on an EBS volume?

  1. kamleshj says:

    C

    We take data protection very seriously! Over the years we have added a number of security and encryption features to various parts of AWS. We protect data at rest with Server Side Encryption for Amazon S3 and Amazon Glacier, multiple tiers of encryption for Amazon Redshift, and Transparent Data Encryption for Oracle and SQL Server databases via Amazon RDS. We protect data in motion with extensive support for SSL/TLS in CloudFront, Amazon RDS, and Elastic Load Balancing.




    0



    0
    1. noorani khan says:

      Yes you can encrypt S3 , EC2 instances etc.. But the question is how to encrypt at rest the volume on EBS, it has nothing to do with S3.




      0



      0
  2. kay says:

    D

    https://d0.awsstatic.com/whitepapers/AWS_Securing_Data_at_Rest_with_Encryption.pdf

    Because Amazon EBS volumes are presented to an instance as a block device, you can
    leverage most standard encryption tools for file system-level or block-level encryption.
    Some common block-level open source encryption solutions for Linux are Loop-AES,
    dm-crypt (with or without) LUKS, and TrueCrypt. Each of these operates below the file
    system layer using kernel space device drivers to perform encryption and decryption of
    data. These tools are useful when you want all data written to a volume to be encrypted
    regardless of what directory the data is stored in.

    Another option would be to use file system-level encryption, which works by stacking an
    encrypted file system on top of an existing file system. This method is typically used to
    encrypt a specific directory. eCryptfs and EncFs are two Linux-based open source
    examples of file system-level encryption tools.




    0



    0
    1. vladam says:

      As per this explanation the correct answer is E:
      E. Use an encrypted file system on top of the EBS volume.

      So the right answer is E.




      1



      0
      1. Antony Philip says:

        Encrypted Filesystem is inside EC2 operation , and that can not be done by any AWS services (its sys admin task ) .But Server side encryption can done when Volume (Not Filesystem) are created .

        So Answer is C i guess .




        0



        0
        1. Skipper says:

          I think even if EBS volume is stored on S3 and encrypted with SSE-S3, the E option is not wrong and thus better, more obvious fit.




          0



          0
  3. bargom says:

    Amazon Elastic Block Store (Amazon EBS) provides block-level storage volumes for use
    with Amazon EC2 instances. Amazon EBS volumes are network-attached, and persist
    independently from the life of an instance.

    Because Amazon EBS volumes are presented to an instance as a block device, you can
    leverage most standard encryption tools for file system-level or block-level encryption.
    Some common block-level open source encryption solutions for Linux are Loop-AES,
    dm-crypt (with or without) LUKS, and TrueCrypt. Each of these operates below the file
    system layer using kernel space device drivers to perform encryption and decryption of
    data. These tools are useful when you want all data written to a volume to be encrypted
    regardless of what directory the data is stored in.

    Another option would be to use file system-level encryption, which works by stacking an
    encrypted file system on top of an existing file system. This method is typically used to
    encrypt a specific directory. eCryptfs and EncFs are two Linux-based open source
    examples of file system-level encryption tools.

    Answer: E (as we don’t see block level encryption in the options)




    1



    0
  4. majidy says:

    Answer is E:

    http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html

    Amazon EBS encryption offers you a simple encryption solution for your EBS volumes without the need for you to build, maintain, and secure your own key management infrastructure. When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted:

    Data at rest inside the volume
    All data moving between the volume and the instance
    All snapshots created from the volume




    0



    0
  5. T says:

    Some common block-level open source encryption solutions for Linux are LoopAES,
    dm-crypt (with or without) LUKS, and TrueCrypt. Each of these operates below the file system layer using kernel
    space device drivers to perform encryption and decryption of data. These tools are useful when you want all data
    written to a volume to be encrypted regardless of what directory the data is stored in. Another option would be to use
    file system-level encryption, which works by stacking an encrypted file system on top of an existing file system.




    0



    0

Leave a Reply

Your email address will not be published. Required fields are marked *