ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 80 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 80
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company recently signed a contract with an AWS Managed Service Provider (MSP) Partner for help with an application migration initiative. A solutions architect needs ta share an Amazon Machine Image (AMI) from an existing AWS account with the MSP Partner's AWS account. The AMI is backed by Amazon Elastic Block Store (Amazon EBS) and uses an AWS Key Management Service (AWS KMS) customer managed key to encrypt EBS volume snapshots.
What is the MOST secure way for the solutions architect to share the AMI with the MSP Partner's AWS account?

  • A. Make the encrypted AMI and snapshots publicly available. Modify the key policy to allow the MSP Partner's AWS account to use the key.
  • B. Modify the launchPermission property of the AMI. Share the AMI with the MSP Partner's AWS account only. Modify the key policy to allow the MSP Partner's AWS account to use the key.
  • C. Modify the launchPermission property of the AMI. Share the AMI with the MSP Partner's AWS account only. Modify the key policy to trust a new KMS key that is owned by the MSP Partner for encryption.
  • D. Export the AMI from the source account to an Amazon S3 bucket in the MSP Partner's AWS account, Encrypt the S3 bucket with a new KMS key that is owned by the MSP Partner. Copy and launch the AMI in the MSP Partner's AWS account.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Chunsli at Oct. 16, 2022, 7:26 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Sauran
Highly Voted 2 years, 3 months ago
Selected Answer: B
Share the existing KMS key with the MSP external account because it has already been used to encrypt the AMI snapshot. https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html
upvoted 20 times
...
Buruguduystunstugudunstuy
Highly Voted 2 years, 1 month ago
Selected Answer: B
***CORRECT*** B. Modify the launchPermission property of the AMI. The most secure way for the solutions architect to share the AMI with the MSP Partner's AWS account would be to modify the launchPermission property of the AMI and share it with the MSP Partner's AWS account only. The key policy should also be modified to allow the MSP Partner's AWS account to use the key. This ensures that the AMI is only shared with the MSP Partner and is encrypted with a key that they are authorized to use.
upvoted 14 times
Buruguduystunstugudunstuy
2 years, 1 month ago
Option A, making the AMI and snapshots publicly available, is not a secure option as it would allow anyone with access to the AMI to use it. Option C, modifying the key policy to trust a new KMS key owned by the MSP Partner, is also not a secure option as it would involve sharing the key with the MSP Partner, which could potentially compromise the security of the data encrypted with the key. Option D, exporting the AMI to an S3 bucket in the MSP Partner's AWS account and encrypting the S3 bucket with a new KMS key owned by the MSP Partner, is also not the most secure option as it involves sharing the AMI and a new key with the MSP Partner, which could potentially compromise the security of the data.
upvoted 15 times
Gizmo2022
1 month, 3 weeks ago
Thank u so much for explaining this Buruguduy
upvoted 2 times
...
...
...
FlyingHawk
Most Recent 3 days, 1 hour ago
Selected Answer: B
I got this wrong, select D initially, but after read the comments, I agree B is the right solution. 1. https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/tkv-set-ami-launch-perms.html 2. https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/tkv-set-ami-launch-perms.html
upvoted 1 times
...
satyaammm
2 weeks, 5 days ago
Selected Answer: B
Updating the key policy is the most secure way to get access here.
upvoted 1 times
...
PaulGa
4 months, 1 week ago
Selected Answer: B
Ans B - keep the control simple by only allowing MSP Partner access to the key
upvoted 2 times
...
awsgeek75
1 year ago
Selected Answer: B
AD are unsecure. I was confused between B and C but read the article (link below). You have to allow the other account to use your key somehow otherwise they won't be able to use your AMI. C just allows a trust relationship with MSP's KMS, it won't give them access to your key. https://aws.amazon.com/blogs/security/how-to-share-encrypted-amis-across-accounts-to-launch-encrypted-ec2-instances/
upvoted 4 times
...
xdkonorek2
1 year, 2 months ago
Selected Answer: B
when you export AMI to s3 bucket it remains encrypted, so partner couldn't launch ec2 instance
upvoted 2 times
...
Ruffyit
1 year, 2 months ago
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html
upvoted 2 times
...
TariqKipkemei
1 year, 5 months ago
Selected Answer: B
Share the AMI and Key with the MSP Partner's AWS account only
upvoted 2 times
...
tamefi5512
1 year, 6 months ago
Selected Answer: B
B - is the Answer https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html
upvoted 2 times
...
cookieMr
1 year, 7 months ago
Selected Answer: B
By modifying the launchPermission property of the AMI and sharing it with the MSP Partner's account only, the solutions architect restricts access to the AMI and ensures that it is not publicly available. Additionally, modifying the key policy to allow the MSP Partner's account to use KMS customer managed key used for encrypting the EBS snapshots ensures that the MSP Partner has the necessary permissions to access and use the key for decryption.
upvoted 3 times
...
Abrar2022
1 year, 8 months ago
CORRECTION to my last comment Option B is correct not A. Explanation why.. Making the AMI and snapshots publicly available, is not a secure option as it would allow anyone with access to the AMI to use it. Best practice would be to share the AMI with the MSP Partner's AWS account then Modify launchPermission property of the AMI. This ensures that the AMI is shared only with the MSP Partner and is encrypted with a key that they are authorised to use.
upvoted 3 times
...
Abrar2022
1 year, 8 months ago
Selected Answer: A
Option A, making the AMI and snapshots publicly available, is not a secure option as it would allow anyone with access to the AMI to use it. Best practice would be to share the AMI with the MSP Partner's AWS account then Modify launchPermission property of the AMI. This ensures that the AMI is shared only with the MSP Partner and is encrypted with a key that they are authorised to use.
upvoted 1 times
...
draum010
1 year, 10 months ago
Selected Answer: D
Option D
upvoted 1 times
...
career360guru
2 years, 1 month ago
Selected Answer: B
Option B
upvoted 1 times
...
Jtic
2 years, 2 months ago
Selected Answer: B
Must use and share the existing KMS key to decrypt the same key
upvoted 3 times
...
flbcobra
2 years, 2 months ago
Selected Answer: B
https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-expiration/
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago