Answer-first summary for fast verification
Answer: By adjusting the AMI's launch permissions and key policy to allow only the MSP Partner's AWS account to use the image and key.
The most secure and appropriate way to share an encrypted AMI using AWS Key Management Service (AWS KMS) is to modify the launchPermission property of the AMI to share it only with the MSP Partner's AWS account. Additionally, the key policy of the customer-managed key must be updated to allow the MSP Partner's AWS account to use the key for decryption. This ensures that access is restricted to the intended AWS account only and the encryption remains intact. Other options either make the AMI publicly available, involve changing key ownership, or overly complicate the process which might introduce security risks.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
How should a solutions architect securely share an EBS-backed, KMS-encrypted Amazon Machine Image (AMI) with an AWS Managed Service Provider (MSP) Partner's AWS account during an application migration initiative?
A
By making the AMI and snapshots public and updating the key policy for the MSP Partner's access.
B
By adjusting the AMI's launch permissions and key policy to allow only the MSP Partner's AWS account to use the image and key.
C
By changing launch permissions and key policy to trust a new KMS key owned by the MSP Partner for encryption.
D
By exporting the AMI to an S3 bucket in the MSP Partner's account, encrypting it with a new key owned by the MSP Partner, and then copying and launching it there.
No comments yet.