ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified SysOps Administrator - Associate All Questions

View all questions & answers for the AWS Certified SysOps Administrator - Associate exam
Go to Exam

Exam AWS Certified SysOps Administrator - Associate topic 1 question 114 discussion

Exam question from Amazon's AWS Certified SysOps Administrator - Associate
Question #: 114
Topic #: 1
[All AWS Certified SysOps Administrator - Associate Questions]

A SysOps administrator has an AWS CloudFormation template that is used to deploy an encrypted Amazon Machine Image (AMI). The CloudFormation template will be used in a second account so the SysOps administrator copies the encrypted AMI to the second account. When launching the new CloudFormation stack in the second account, it fails.
Which action should the SysOps administrator take to correct the issue?

  • A. Change the AMI permissions to mark the AMI as public.
  • B. Deregister the AMI in the source account.
  • C. Re-encrypt the destination AMI with an AWS Key Management Service (AWS KMS) key from the destination account.
  • D. Update the CloudFormation template with the ID of the AMI in the destination account.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by princajen at Sept. 4, 2022, 6:31 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
princajen
Highly Voted 2 years, 10 months ago
Selected Answer: C
C! While launching the instance from a shared encrypted AMI, you can specify a KMS key of your choice. You may also choose cmkSource to encrypt volumes in your account. However, we recommend that you re-encrypt the volumes using a KMS key in the target account. This protects you if the source KMS key is compromised, or if the source account revokes permissions, which could cause you to lose access to any encrypted volumes you created using cmkSource. https://aws.amazon.com/blogs/security/how-to-share-encrypted-amis-across-accounts-to-launch-encrypted-ec2-instances/
upvoted 10 times
TareDHakim
1 year, 6 months ago
thanks for the URL - however, this URL indicates the answer is actually D and NOT C.
upvoted 2 times
...
...
braveheart22
Highly Voted 2 years, 4 months ago
I'm inclined toward D in every sense.
upvoted 7 times
tamng
1 year, 6 months ago
C is correct
upvoted 1 times
...
...
Nhat_Quang
Most Recent 6 days, 14 hours ago
Selected Answer: D
Answer D
upvoted 1 times
...
Nhat_Quang
6 days, 14 hours ago
Selected Answer: D
Answer:D
upvoted 1 times
...
heshamahammad
2 months, 2 weeks ago
Selected Answer: C
Definetly C, "While launching the instance from a shared encrypted AMI, you can specify a KMS key of your choice. You may also choose cmkSource to encrypt volumes in your account. However, we recommend that you re-encrypt the volumes using a KMS key in the target account. This protects you if the source KMS key is compromised, or if the source account revokes permissions, which could cause you to lose access to any encrypted volumes you created using cmkSource." https://aws.amazon.com/blogs/security/how-to-share-encrypted-amis-across-accounts-to-launch-encrypted-ec2-instances/
upvoted 1 times
...
arsovai
2 months, 2 weeks ago
Selected Answer: C
Even if you update the AMI ID, if the encryption issue isn't resolved, the stack will still fail
upvoted 1 times
...
OlehKom
7 months ago
Selected Answer: C
D only can be a valid solution if it explicitly says that the 2d has access to the shared AMI and KSM key. Only after that you could update the template with the existing AMI id BUT it’s not explicitly mentioned that the second account has been granted access to the encrypted AMI or the KMS key. Without explicitly granting access, the second account cannot use the AMI. This is why re-encryption in the second account can be a necessary step to ensure smooth deployment, so C
upvoted 1 times
...
numark
7 months, 3 weeks ago
Answer is D: When an encrypted Amazon Machine Image (AMI) is copied to another AWS account, it gets a new AMI ID in the destination account. The CloudFormation template in the second account must reference the new AMI ID to successfully launch the stack. Not C: While this step is often part of copying an encrypted AMI between accounts, it does not fix the issue in this scenario. The new AMI in the destination account is already encrypted with a KMS key from the second account. The failure occurs because the CloudFormation template is still referencing the old AMI ID.
upvoted 1 times
...
tsangckl
1 year, 1 month ago
Selected Answer: D
By copilot The SysOps administrator should take action D. Update the CloudFormation template with the ID of the AMI in the destination account. When an AMI is copied to another account, it gets a new AMI ID. The CloudFormation template in the second account is likely still referencing the AMI ID from the original account, which is causing the stack deployment to fail. By updating the template with the new AMI ID, the stack deployment should proceed without issues. Other options (A, B, C) are not relevant to the issue described.
upvoted 4 times
tsangckl
1 year, 1 month ago
When you copy an AMI, the copied AMI is encrypted using the same AWS KMS key as the original AMI, by default. If the original AMI is encrypted with a default EBS key, the copied AMI will also be encrypted with a default EBS key, and this key will be unique to the account to which the AMI is copied. Therefore, there’s no need to re-encrypt the AMI in the destination account.vThe issue here is that the CloudFormation template is still referencing the old AMI ID from the source account, which is not recognized in the destination account. Hence, updating the CloudFormation template with the new AMI ID (option D) is the correct action to resolve the issue.
upvoted 3 times
...
...
AgboolaKun
1 year, 1 month ago
Selected Answer: C
Sincerely, any of the C or D could cause the template to fail. However, I will go for C since the emphasis is on encryption and best practice in this situation expects that you re-encrypt the volumes using a KMS key in the destination account.
upvoted 1 times
...
a6a3d55
1 year, 2 months ago
Selected Answer: D
Even if you reencrypt it will still not work until the AMI ID is changed in the template
upvoted 3 times
...
seetpt
1 year, 3 months ago
Selected Answer: C
I vote for C
upvoted 1 times
...
stoy123
1 year, 4 months ago
Selected Answer: D
D for sure
upvoted 4 times
...
henro4niger
1 year, 5 months ago
I will go with D. Why do I need to re-encrypt the ami in the second account when I can just update the template with the ami ID of the target account? D is definitely the answer, moreover, C will introduce serious complexity
upvoted 1 times
vivanchyk
1 year, 4 months ago
While it is necessary to update the CloudFormation template with the new AMI ID after copying it to the destination account, this action alone won't solve the encryption key access issue. The failure is likely due to the lack of access to the KMS key, not merely the AMI ID reference When an AMI is encrypted, it is done so using a specific AWS Key Management Service (KMS) key. If you copy an encrypted AMI to another AWS account, the destination account needs appropriate permissions to use the KMS key that encrypted the AMI, or the AMI needs to be re-encrypted with a KMS key that belongs to the destination account.
upvoted 1 times
...
...
xdkonorek2
1 year, 6 months ago
Selected Answer: D
Definitely D Copied AMI already is encrypted by KMS key that is stored in target aws account.
upvoted 2 times
vivanchyk
1 year, 4 months ago
where is it said that "Copied AMI already is encrypted by KMS key that is stored in target aws account." ???
upvoted 1 times
Aamee
10 months ago
See this comment by a user above. This is what he said to justify the ans. D selection is correct here: "When you copy an AMI, the copied AMI is encrypted using the same AWS KMS key as the original AMI, by default. If the original AMI is encrypted with a default EBS key, the copied AMI will also be encrypted with a default EBS key, and this key will be unique to the account to which the AMI is copied. "
upvoted 1 times
...
...
...
tamng
1 year, 6 months ago
C not D
upvoted 1 times
...
Hatem08
1 year, 7 months ago
Selected Answer: C
ccccccc
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel