SCS-C02 Question #365: Real Exam Question with Answer & Explanation

Question

Attach the following SCP to the OU that contains this account:

Options

• AFor each finding In the audit report, run the ec2 copy-snapshot command and use the encrypted
• BCreate a private AMI for the company Configure encryption for the private AMI by selecting the
• CIn the Amazon EC2 console, select the Always Encrypt new EBS volumes setting for each AWS

Explanation

Option A is correct because ec2 copy-snapshot with the --encrypted flag is the AWS-native method to remediate existing unencrypted snapshots found in an audit - you copy each unencrypted snapshot to a new encrypted one, then rebuild volumes/instances from those encrypted copies. This pairs directly with an SCP that denies launching unencrypted volumes going forward, covering both remediation and prevention.

Option B is wrong because creating a private AMI configures encryption only for new instances launched from that AMI - it does nothing to address the already-unencrypted snapshots flagged in the audit report.

Option C is wrong because the "Always Encrypt new EBS volumes" console setting is an account-level toggle that must be manually enabled in each individual account. It also only applies to new volumes, leaving existing unencrypted resources untouched. An SCP is the scalable, org-wide enforcement mechanism.

Memory tip: Think of it in two layers - the SCP is the lock on the door (prevents future unencrypted volumes), and copy-snapshot --encrypted is the cleaning crew (fixes what's already inside). Exam questions that combine SCPs with an audit scenario almost always require both enforcement and remediation steps.

No community discussion yet for this question.