Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 777 discussion

Changing to options AC

c=>https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/share-amis-with-organizations-and-OUs.html#allow-org-ou-to-use-key A-->https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/share-amis-with-organizations-and-OUs.html#share-amis-org-ou

A - The security OU is explicitly allowing the development OU to use the AMI. B - OK but too broad, and not secure. C - Now they can use the encrypted snapshots. D - Would be too much trouble if there are many accounts. A is enough. E - Recreate the AWS KMS key? Uhm, why?

AnswerAC Option A will allow to run/lunch AMIs Option C will allow to decript AMIs which is necessery to run AMI.

CD - Solution C: Update the Key Policy Why: The AMIs are created using KMS-encrypted snapshots, so the KMS keys must allow the development team's accounts to use these keys for decrypting the snapshots. How: Update the key policy of the KMS key to include permissions for the development OU or specific accounts within that OU. This will enable those accounts to use the KMS key for decrypting the snapshots associated with the AMIs. Solution D: Add the Development Team’s Account ARN to the Launch Permission List Why: To share the AMIs with the development accounts, you need to grant launch permissions to those accounts. This allows the specified accounts to use the shared AMIs to launch instances. How: Add the ARNs of the development team's accounts to the launch permission list of the AMIs. This can be done using the modify-image-attribute command in the AWS CLI, specifying the account IDs that should have launch permissions.

A : give users the right to launch C : give users the right to decrypt

Option CD