ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified SysOps Administrator - Associate All Questions

View all questions & answers for the AWS Certified SysOps Administrator - Associate exam
Go to Exam

Exam AWS Certified SysOps Administrator - Associate topic 1 question 260 discussion

Exam question from Amazon's AWS Certified SysOps Administrator - Associate
Question #: 260
Topic #: 1
[All AWS Certified SysOps Administrator - Associate Questions]

A company's SysOps administrator has created an Amazon EC2 instance with custom software that will be used as a template for all new EC2 instances across multiple AWS accounts. The Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the EC2 instance are encrypted with AWS managed keys.

The SysOps administrator creates an Amazon Machine Image (AMI) of the custom EC2 instance and plans to share the AMI with the company's other AWS accounts. The company requires that all AMIs are encrypted with AWS Key Management Service (AWS KMS) keys and that only authorized AWS accounts can access the shared AMIs.

Which solution will securely share the AMI with the other AWS accounts?

  • A. In the account where the AMI was created, create a customer managed KMS key. Modify the key policy to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Modify the AMI permissions to specify the AWS account numbers that the AMI will be shared with.
  • B. In the account where the AMI was created, create a customer managed KMS key. Modify the key policy to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Create a copy of the AMI, and specify the KMS key. Modify the permissions on the copied AMI to specify the AWS account numbers that the AMI will be shared with.
  • C. In the account where the AMI was created, create a customer managed KMS key. Modify the key policy to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Create a copy of the AMI, and specify the KMS key Modify the permissions on the copied AMI to make it public.
  • D. In the account where the AMI was created, modify the key policy of the AWS managed key to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Modify the AMI permissions to specify the AWS account numbers that the AMI will be shared with.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by 0timepass at Feb. 15, 2023, 11:59 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
defmania00
Highly Voted 1 year, 2 months ago
Selected Answer: B
Things to note: you have an EC2 instance with encrypted EBS volumes with AWS managed keys (key point right here). Then, you create an AMI from this EC2 instance. This means it will be encrypted with that same AWS managed key. The requirement is simple, use KMS managed keys and only share with authorized accounts. Now the options: A- This starts good as you need a customer managed KMS key to be able to change the policy and add those kms actions to the other AWS accounts, however, that won't help with your AMI since it's still encrypted with the AWS managed key. C - this sounds good right up until the end, public kills it. even though they won't have the actions, you don't want to make it public. D - can't be D, you cannot modify the policy on a AWS managed key.
upvoted 16 times
...
Gomer
Highly Voted 12 months ago
Selected Answer: B
Can't share "AWS managed key" with other accounts. Even though these keys are created transparently by default in background for many services, since you can't share them or export them, the data is ONLY good within that account. If you want to start sharing things, then you have to use Customer managed KMS keys (so your are responsible for encryption security and not AWS).
upvoted 5 times
...
walala97
Most Recent 6 months ago
Selected Answer: B
option A ,still encrypted with the AWS managed key ,but we need KMS managed keys,so A is out
upvoted 3 times
...
jipark
8 months, 1 week ago
Selected Answer: B
1. create Key (D out) 2. create copy of AMI (C out) 3. share with accounts - not public (B out)
upvoted 1 times
...
Vivec
1 year, 1 month ago
Selected Answer: B
Option D is incorrect because modifying the key policy of the AWS managed key is not recommended, and it is not possible to share an AMI encrypted with an AWS managed key with other AWS accounts, you need to use customer-managed key. Just to clear out why it is not answer D, because I see there are some claims to support that answer.
upvoted 1 times
...
ihustle
1 year, 1 month ago
The answer is B. defmania00 does justice to the needed explanation.
upvoted 1 times
...
grka25
1 year, 1 month ago
I was doing this scenario last week. B is the correct answer.
upvoted 1 times
...
anderri
1 year, 2 months ago
Selected Answer: D
All answers assumed that AMI was created so, the correct answer should be D.
upvoted 3 times
...
0timepass
1 year, 2 months ago
Ans D, aws key
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago