PrepAway - Latest Free Exam Questions & Answers

Which of the following approaches would protect the sensitive data on an Amazon EBS volume?

An existing application stores sensitive information on a non-boot Amazon EBS data volume attached to an
Amazon Elastic Compute Cloud instance. Which of the following approaches would protect the sensitive data
on an Amazon EBS volume?

PrepAway - Latest Free Exam Questions & Answers

A.
Upload your customer keys to AWS CloudHSM. Associate the Amazon EBS volume with AWS CloudHSM. Remount the Amazon EBS volume.

B.
Create and mount a new, encrypted Amazon EBS volume. Move the data to the new volume. Delete the old
Amazon EBS volume.

C.
Unmount the EBS volume. Toggle the encryption attribute to True. Re-mount the Amazon EBS volume.

D.
Snapshot the current Amazon EBS volume. Restore the snapshot to a new, encrypted Amazon EBS volume.
Mount the Amazon EBS volume

31 Comments on “Which of the following approaches would protect the sensitive data on an Amazon EBS volume?

  1. tom says:

    I would say ‘B’ is the right answer as option ‘D’ doesn’t provide a vital step in the process.

    ref: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html

    Extract:
    Apply Encryption While Copying a Snapshot

    Because you can apply encryption to a snapshot while copying it, another path to encrypting your data is the following procedure.

    To encrypt a volume’s data by means of snapshot copying

    Create a snapshot of your unencrypted EBS volume. This snapshot is also unencrypted.

    ==> Copy the snapshot while applying encryption parameters. The resulting target snapshot is encrypted.

    Restore the encrypted snapshot to a new volume, which is also encrypted.




    0



    0
  2. muhtu says:

    D is correct answer.Because if you mount with new mount point name then your application or Db may go down.Also manual moving of sensitive date miss the links etc..




    0



    0
  3. Nitin Thakur says:

    Try it D is not a valid option if the snapshot is not encrypted you cant make a encrypted volume out of it. only option is to make a new encrypted volume and then copy the data. As Tom said B is correct option.




    0



    1
  4. Fun4two says:

    answer is d

    Existing unencrypted volumes cannot be encrypted directly, but can be migrated by ◾create a unencrpted snaphot from the volume
    ◾create an encrypted copy of unecrypted snaphot
    ◾create an encrypted volume from the encrypted snaphot

    •Encrpted snapshot can be created from a unecrypted snapshot by create an encrypted copy of the unencrpted snaphot
    •Unecrypted volume cannot be created from an encrypted volume directly but needs to be migrated




    1



    0
    1. JERRY says:

      Hey Guys,

      I have create a LAB to check it. D is correct. The procedure is as follows:

      1. Unmount the volume
      2. Create a unencrypted snapshot of the volume
      3. Copy the snapshot to another snapshot with encryption enabled. Now you have an encrypted version snapshot copy of the original volume
      4. create a new volume from the encrypted version of snapshot
      5. mount the new volume to the instance




      1



      0
  5. DakkuDaddy says:

    Answer is 100% D.

    D.Snapshot the current Amazon EBS volume. Restore the snapshot to a new, encrypted Amazon EBS volume.
    Mount the Amazon EBS volume

    Changing the Encryption State of Your Data

    While copying an unencrypted snapshot of an unencrypted volume, you can encrypt the copy. Volumes restored from this encrypted copy will also be encrypted.

    http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_supported_instances




    1



    0
  6. Gary says:

    D is only feasible if you encrypt the snapshot before restoring. But the choice did not state whether it has encrypted the snapshot.
    B is clearly a correct method.
    In this case, B seems more like a correct answer.




    2



    0
  7. hello says:

    D does not mention removing the volume that the concern surrounds. Therefore B seems the answer? Both B and D will work but B ticks all the boxes.




    0



    0
  8. Lorenzo says:

    I think D is not correct because to encrypt a snapshot you have to copy it. Here the answer propose :

    >>> Snapshot the current Amazon EBS volume. Restore the snapshot to a new, encrypted Amazon EBS volume.
    Mount the Amazon EBS volume

    instead of:

    >>> Snapshot the current Amazon EBS volume. Copy the snapshot to a new encrypted one in the same region. Restore the snapshot to a new, encrypted Amazon EBS volume.

    So, I think the good answer, either its not a very pretty solution is B.

    No links, just try on AWS console.




    0



    0
  9. Cloud Ninja says:

    The word here is protect sensitive Data, the reason why D is not the correct answer is because after coyping the data there is no mention or removing the source data. It remains at risk unless deleted
    Correct answer is B




    0



    0
  10. abstar says:

    B is my choice.
    D is 100% incorrect

    Snapshot the current Amazon EBS volume – this won’t be encrypted. Restore the snapshot to a new, encrypted Amazon EBS volume – this can’t be done.




    0



    0
  11. vladam says:

    D has issues due to missing steps:
    – Snapshot of the current EBS volume is unencrypted and needs to be copied to an encrypted snapshot before resting
    – Current EBS volume needs to be deleted after new one is mounted

    Option B doesn’t have this issues, so it is the right answer.




    1



    0
    1. vladam says:

      Also see Amazon’s recommendation here:
      http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html

      To migrate data between encrypted and unencrypted volumes
      1. Create your destination volume (encrypted or unencrypted, depending on your need) by following the procedures in Creating an Amazon EBS Volume.
      2. Attach the destination volume to the instance that hosts the data to migrate. For more information, see Attaching an Amazon EBS Volume to an Instance.
      3. Make the destination volume available by following the procedures in Making an Amazon EBS Volume Available for Use. For Linux instances, you can create a mount point at /mnt/destination and mount the destination volume there.
      4. Copy the data from your source directory to the destination volume. It may be most convenient to use a bulk-copy utility for this.

      B is the right answer.




      0



      0
  12. Saad says:

    I agree D is missing important steps. Here are the steps to encrypt a volume’s data by means of snapshot copying:
    1. Create a snapshot of your unencrypted EBS volume. This snapshot is also unencrypted.
    2. Copy the snapshot while applying encryption parameters. The resulting target snapshot is encrypted.
    3. Restore the encrypted snapshot to a new volume, which is also encrypted.

    So, the missing steps from D are step number 2 and the deletion of the original volume.

    The main concern I have with B is the word ‘Move’. As Muhtu said, if something happen during the move, data may be lost.

    So, it seems like B is best choice out of the given solutions.




    0



    0
  13. Amit says:

    B is the answer

    1> You cannot create an encrypted volume from a snapshot of an unencrypted volume unless you do one step in between as Tom said.
    2> This intermediate step of creating copy of snapshot is not there in D so B is the only feasible answer.




    0



    0
  14. Zane says:

    The answer is 100% B.

    If answer D was correct one would need to copy the snapshot while applying encryption parameters resulting in the target snapshot being encrypted. See below docs.

    Changing the Encryption State of Your Data

    There is no direct way to encrypt an existing unencrypted volume, or to remove encryption from an encrypted volume. However, you can migrate data between encrypted and unencrypted volumes. You can also apply a new encryption status while copying a snapshot:

    While copying an unencrypted snapshot of an unencrypted volume, you can encrypt the copy. Volumes restored from this encrypted copy will also be encrypted.

    http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html

    From the same article

    Apply Encryption While Copying a Snapshot

    Because you can apply encryption to a snapshot while copying it, another path to encrypting your data is the following procedure.

    To encrypt a volume’s data by means of snapshot copying

    Create a snapshot of your unencrypted EBS volume. This snapshot is also unencrypted.

    Copy the snapshot while applying encryption parameters. The resulting target snapshot is encrypted.

    Restore the encrypted snapshot to a new volume, which is also encrypted.




    0



    0
  15. Tuan says:

    B is correct! B is right way to do.

    D. “Encrypted amazon EBS volume” =>no way to encrypt existed EBS or create new encrypted EBS from un-encrypt snapshot.




    0



    0
  16. Wajahat says:

    B

    http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
    Extract:Apply Encryption While Copying a Snapshot
    Because you can apply encryption to a snapshot while copying it, another path to
    encrypting your data is the following procedure.
    To encrypt a volume’s data by means of snapshot copying
    Create a snapshot of your unencrypted EBS volume. This snapshot is also unencrypted.
    Copy the snapshot while applying encryption parameters. The resulting target snapshot is
    encrypted.
    Restore the encrypted snapshot to a new volume, which is also encrypted.




    0



    0
  17. Linh says:

    B.
    Create and mount a new, encrypted Amazon EBS volume. Move the data to the new volume. Delete the old Amazon EBS volume.




    0



    0
  18. Derf says:

    Both B and D could be considered correct, though I agree with those saying D has some missing steps, that is the short hand version of how to do it. And, several others posted directly to AWS documentation as to why B is correct. REMEMBER, you are looking for the answer AMAZON is saying is correct. In this case, it’s B.




    0



    0

Leave a Reply

Your email address will not be published. Required fields are marked *