Exam AWS Certified Developer - Associate DVA-C02 topic 1 question 27 discussion

A. Create new AMIs, and specify encryption parameters. Copy the encrypted AMIs to the destination Region. Delete the unencrypted AMIs. The best solution for meeting the encryption requirement is to create new AMIs with encryption enabled and copy them to the destination Region. By default, when an AMI is copied to another Region, it is not encrypted in the destination Region even if it is encrypted in the source Region. Therefore, the developer must create new encrypted AMIs that can be used in the destination Region. Once the new encrypted AMIs have been created, they can be copied to the destination Region. The unencrypted AMIs can then be deleted to ensure that all instances running in all Regions are using only encrypted AMIs.

A is correct. Unencrypted AMI can't be encrypted after creation. Need to create new encrypted AMI then it can be copied to other regions.

A) Amazon Machine Images (AMIs) can be encrypted at creation time B) Eliminated - AWS KMS does not allow you to encrypt an existing unencrypted AMI directly. C) Eliminated - AWS Certificate Manager (ACM) is used for managing SSL/TLS certificates, not for encrypting AMIs. D) Eliminated - It does not retroactively encrypt existing AMIs.

==> Discard B: Once an AMI is created, encryption configuration cannot be changed, ==> Discard C: ACM use for SSL/ TLS connection manager ==> Discard D: Even if assumed that "encryption by default" is enabled in the destination before copy, original AMI is still not encrypted, so condition "AMIs must be encrypted in all Regions" is not met. A is popular pattern: 1. Create a snapshot from the original AMI. 2. Encrypt the snapshot using an AWS KMS key. 3. Create a new AMI from the encrypted snapshot. 4. Copy the encrypted AMI to the destination region

Answer is A While AWS KMS is used to manage encryption keys, it cannot retroactively encrypt an existing unencrypted AMI. Encryption must be specified when creating or copying the AMI.

Regarding B: Once an AMI is created, encryption configuration cannot be changed, you need to create a new one and enable encryption. Another point: if you are planning to share the AMI between accounts, you cannot use AWS managed keys

Option A ensures all AMIs are encrypted before they are copied to the destination region, meeting the encryption requirement and providing a clear and compliant process for expanding the application to multiple AWS Regions.

A is the correct answer.

Encryption of an Amazon Machine Image (AMI) is typically tied to the underlying Amazon Elastic Block Store (EBS) snapshots that are associated with the AMI. When you create an AMI, you have the option to specify encryption parameters. If you choose to encrypt the root volume, the resulting AMI will be encrypted. This encryption setting applies to both the root volume and any additional EBS volumes attached to the instance. The encryption status of an EBS snapshot is determined at the time of snapshot creation. Once a snapshot is created, its encryption status remains constant. If you want to encrypt a snapshot, you typically need to create a new snapshot from an encrypted volume. Once an AMI is created, you generally cannot modify its encryption status directly. If you need to change the encryption status, you might need to create a new AMI from an encrypted snapshot.

A.This approach ensures that all AMIs are encrypted using specified encryption parameters before they are copied to the destination Region, aligning with the company's encryption requirement. AWS provides the capability to encrypt AMIs during the AMI creation process and when copying AMIs between Regions. You can specify an AWS Key Management Service (AWS KMS) customer master key (CMK) during these processes to use for encryption, meeting the requirement to use a company-generated key.

C ACM is about SSL/TLS D Even if assumed that "encryption by default" is enabled in the destination before copy, original AMI is still not encrypted, so condition "AMIs must be encrypted in all Regions" is not met. B I don't see any option in AWS Console or docs to encrypt in place existing AMI. It can be done when copying it. Option B doesn't handle existing unencrypted AMIs. A I think, A is the best description of the procedure.

I would go with D: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default Solves must be encrypted issue once and for all plus you can copy unencrypted to encrypted

kms keys is regional,so when you use kms before you copy to another region,the second region still has the unencryed AMIs.so B is not correct

A When you create an encrypted AMI and do not specify the KMS key, AWS will use the default Customer Managed Key which is the only multi-region key. If you select a KMS key from the origin region it will not work in the destination region (presently) so B is not correct.

Answer is B check this link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html#ami-copy-encryption

Here's why option B is the appropriate choice: AWS KMS Encryption: AWS KMS is a service that allows you to easily enable encryption for your resources, including Amazon Machine Images (AMIs). You can create a customer managed key (CMK) in AWS KMS and use it to encrypt your AMIs. Enable Encryption on Unencrypted AMIs: You can enable encryption for unencrypted AMIs by creating a copy of the AMI and specifying the AWS KMS key to use for encryption during the copy process. This ensures that your new AMIs in the destination Region are encrypted. Maintain Data Integrity: This approach allows you to maintain data integrity and ensure that all AMIs are encrypted in compliance with company requirements.

Copy an unencrypted source AMI to an encrypted target AMI In this scenario, an AMI backed by an unencrypted root snapshot is copied to an AMI with an encrypted root snapshot. The CopyImage action is invoked with two encryption parameters, including a customer managed key. As a result, the encryption status of the root snapshot changes, so that the target AMI is backed by a root snapshot containing the same data as the source snapshot, but encrypted using the specified key. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html