What is the MOST secure way for the solutions architect to share the AMI with the MSP Partner’s AWS account?
A company recently signed a contract with an AWS Managed Service Provider (MSP) Partner for help with an application migration initiative. A solutions architect needs to share an Amazon Machine Image (AMI) from an existing AWS account with the MSP Partner’s AWS account. The AMI is backed by Amazon Elastic Block Store (Amazon EBS) and uses a customer managed customer master key (CMK) to encrypt EBS volume snapshots.
What is the MOST secure way for the solutions architect to share the AMI with the MSP Partner’s AWS account?
A . Make the encrypted AMI and snapshots publicly available. Modify the CMK’s key policy to allow the MSP Partner’s AWS account to use the key
B . Modify the launchPermission property of the AMI. Share the AMI with the MSP Partner’s AWS account only. Modify the CMK’s key policy to allow the MSP Partner’s AWS account to use the key.
C . Modify the launchPermission property of the AMI Share the AMI with the MSP Partner’s AWS account only. Modify the CMK’s key policy to trust a new CMK that is owned by the MSP Partner for encryption.
D . Export the AMI from the source account to an Amazon S3 bucket in the MSP Partner’s AWS account. Encrypt the S3 bucket with a CMK that is owned by the MSP Partner Copy and launch the AMI in the MSP Partner’s AWS account.
Answer: B
Explanation:
Share the existing KMS key with the MSP external account because it has already been used to encrypt the AMI snapshot. https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html
Latest SAA-C03 Dumps Valid Version with 400 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund