Final answer:
To ensure new EBS volumes are encrypted when restored from unencrypted snapshots, create an encrypted copy of the snapshot using a CMK and ensure that new volumes are built from these copies. Future snapshots should be set to encrypted by default, and use AWS Config or CloudTrail to monitor and audit encryption settings.
Step-by-step explanation:
To ensure that all of the new EBS volumes restored from the unencrypted snapshots are automatically encrypted in an AWS environment, the solutions architect should perform the following steps:
- Create a copy of the unencrypted snapshot and select the option to encrypt the copy with a customer master key (CMK). This step can be done through the AWS Management Console, AWS CLI, or AWS API.
- Once the encrypted snapshot is available, new EBS volumes created from this snapshot will be automatically encrypted.
- Ensure that future snapshots are also automatically encrypted by setting an encrypted flag or modify the EBS volume properties to always encrypt snapshots.
- Implement a process to monitor and audit the EBS snapshots and volumes for encryption, using AWS services such as AWS Config or CloudTrail.
By securely encrypting snapshots, the company can protect its data and comply with security best practices. AWS provides straightforward options to automatically encrypt EBS volumes restored from encrypted snapshots, thereby maintaining a robust security posture.