Auditors for a health care company have mandated that all data volumes be encrypted at rest. Infrastructure is deployed mainly via AWS CloudFormation; however, ...

Auditors for a health care company have mandated that all data volumes be encrypted at rest. Infrastructure is deployed mainly via AWS CloudFormation; however, third-party frameworks and manual deployment are required on some legacy systems.
What is the BEST way to monitor, on a recurring basis, whether all EBS volumes are encrypted?

A. On a recurring basis, update all IAM user policies to require that EC2 instances are created with an encrypted volume. B. Configure an AWS Config rule to run on a recurring basis for volume encryption. C. Set up Amazon Inspector rules for volume encryption to run on a recurring schedule. D. Use CloudWatch Logs to determine whether instances were created with an encrypted volume.