Topic 1 Question 260

AWS Certified SysOps Administrator - Associate

Topic 1 Question 260
A company's SysOps administrator has created an Amazon EC2 instance with custom software that will be used as a template for all new EC2 instances across multiple AWS accounts. The Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the EC2 instance are encrypted with AWS managed keys.

The SysOps administrator creates an Amazon Machine Image (AMI) of the custom EC2 instance and plans to share the AMI with the company's other AWS accounts. The company requires that all AMIs are encrypted with AWS Key Management Service (AWS KMS) keys and that only authorized AWS accounts can access the shared AMIs.

Which solution will securely share the AMI with the other AWS accounts?
- In the account where the AMI was created, create a customer managed KMS key. Modify the key policy to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Modify the AMI permissions to specify the AWS account numbers that the AMI will be shared with.
- In the account where the AMI was created, create a customer managed KMS key. Modify the key policy to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Create a copy of the AMI, and specify the KMS key. Modify the permissions on the copied AMI to specify the AWS account numbers that the AMI will be shared with.
- In the account where the AMI was created, create a customer managed KMS key. Modify the key policy to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Create a copy of the AMI, and specify the KMS key Modify the permissions on the copied AMI to make it public.
- In the account where the AMI was created, modify the key policy of the AWS managed key to provide kms:DescribeKey, kms:ReEncrypt*, kms:CreateGrant, and kms:Decrypt permissions to the AWS accounts that the AMI will be shared with. Modify the AMI permissions to specify the AWS account numbers that the AMI will be shared with.
ユーザの投票
コメント(7)
- 正解だと思う選択肢: B
  Things to note: you have an EC2 instance with encrypted EBS volumes with AWS managed keys (key point right here). Then, you create an AMI from this EC2 instance. This means it will be encrypted with that same AWS managed key. The requirement is simple, use KMS managed keys and only share with authorized accounts. Now the options:
  
  A- This starts good as you need a customer managed KMS key to be able to change the policy and add those kms actions to the other AWS accounts, however, that won't help with your AMI since it's still encrypted with the AWS managed key. C - this sounds good right up until the end, public kills it. even though they won't have the actions, you don't want to make it public. D - can't be D, you cannot modify the policy on a AWS managed key.
  
  👍 5
  defmania002023/02/26
- 正解だと思う選択肢: D
  All answers assumed that AMI was created so, the correct answer should be D.
  
  👍 3
  anderri2023/02/15
- Ans D, aws key
  
  👍 1
  0timepass2023/02/15
シャッフルモード

ユーザの投票

コメント(7)