A company has a security requirement that any Amazon RDS database must be encrypted at rest. Which TWO actions should be taken to enforce this requirement?
Correct: Detects and remediates non-compliant instances.
Why this answer
Options A and C are correct. To enforce encryption, you can use IAM policies with conditions that require encryption parameters, and use AWS Config rules to detect unencrypted databases and trigger remediation. Option B is wrong because enabling encryption on existing databases requires a snapshot restore.
Option D is wrong because SCPs cannot enforce encryption at the service level. Option E is wrong because VPC security groups control network access, not encryption.