Which solution will securely share the AMI with the other AWS accounts?

SOA-C02 V5 0 Comments

A company’s SysOps administrator has created an Amazon EC2 instance with custom software that will be used as a template for all new EC2 instances across multiple AWS accounts. The Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the EC2 instance are encrypted with

AWS managed keys.

The SysOps administrator creates an Amazon Machine Image (AMI) of the custom EC2 instance and plans to share the AMI with the company’s other AWS accounts. The company requires that all AMIs are encrypted with AWS Key Management Service (AWS KMS) keys and that only authorized AWS accounts can access the shared AMIs.

Which solution will securely share the AMI with the other AWS accounts?
A . In the account where the AMI was created, create a customer master key (CMK). Modify the key policy to provide kms:DescribeKey, kms ReEncrypf, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Modify the AMI permissions to specify the AWS account numbers that the AMI will be shared with.
B . In the account where the AMI was created, create a customer master key (CMK). Modify the key policy to provide kms:DescribeKey, kms:ReEncrypt*. kms:CreateGrant, and kms;Decrypt permissions to the AWS accounts that the AMI will be shared with. Create a copy of the AMI. and specify the CMK. Modify the permissions on the copied AMI to specify the AWS account numbers that the AMI will be shared with.
C . In the account where the AMI was created, create a customer master key (CMK). Modify the key policy to provide kms:DescrlbeKey, kms:ReEncrypt kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Create a copy of the AMI. and specify the CMK. Modify the permissions on the copied AMI to make it public.
D . In the account where the AMI was created, modify the key policy of the AWS managed key to provide kms:DescnbeKey. kms:ReEncrypt kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Modify the AMI permissions to specify the AWS account numbers that the AMI will be shared with.

Answer: B

Explanation:

Step-by-Step

Understand the Problem:

Share an AMI with other AWS accounts while ensuring it is encrypted with AWS KMS keys and accessible only to authorized accounts.

Analyze the Requirements:

Encrypt the AMI with a customer-managed key (CMK).

Share the AMI securely with specific AWS accounts.

Evaluate the Options:

Option A: Create a CMK and modify the key policy but do not create a copy of the AMI.

This does not re-encrypt the AMI with the CMK.

Option B: Create a CMK, modify the key policy, create a copy of the AMI, and specify the CMK.

This ensures the AMI is encrypted with the CMK and shared securely.

Option C: Create a CMK, modify the key policy, create a copy of the AMI, and make it public.

Making the AMI public does not meet the requirement of sharing with specific accounts only.

Option D: Modify the key policy of the AWS managed key and share the AMI.

AWS managed keys cannot have their key policies modified to add permissions for other accounts.

Select the Best Solution:

Option B: Creating a CMK, modifying the key policy, creating a copy of the AMI with the CMK, and specifying the permissions ensures the AMI is securely shared with specific AWS accounts.

Reference: Copying an AMI

Creating and Managing Keys

Sharing AMIs

This solution ensures the AMI is encrypted with a customer-managed key and shared securely with the specified AWS accounts.

Latest SOA-C02 Dumps Valid Version with 54 Q&As

Latest And Valid Q&A | Instant Download | Once Fail, Full Refund

Instant Download SOA-C02 PDF     SOA-C02 Questions Online Training
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments