Answer-first summary for fast verification
Answer: Modify the launchPermission property of the AMI. Share the AMI with the MSP Partner's AWS account only. Modify the key policy to allow the MSP Partner's AWS account to use the key.
## Explanation **Correct Answer: B** When sharing an encrypted AMI with another AWS account, two key steps are required: 1. **Share the AMI**: Modify the `launchPermission` property of the AMI to grant launch permissions to the specific AWS account (MSP Partner's account). This is done using the `ModifyImageAttribute` API or through the AWS Management Console. 2. **Share the KMS key**: Modify the key policy of the customer managed KMS key to allow the MSP Partner's AWS account to use the key for decryption. Without this step, the MSP Partner cannot decrypt the EBS snapshots that back the AMI. **Why other options are incorrect:** - **Option A**: Making the AMI publicly available is NOT secure. This exposes the AMI to all AWS accounts, not just the MSP Partner's account. - **Option C**: Modifying the key policy to "trust a new KMS key" is incorrect. KMS keys cannot be configured to trust other KMS keys in this way. The MSP Partner needs permission to use the existing KMS key, not to create a trust relationship between keys. - **Option D**: Exporting to S3 and re-encrypting is unnecessarily complex and introduces additional steps. It also requires the MSP Partner to have permissions to copy and launch the AMI from S3, which adds complexity without security benefits. **Key Security Considerations:** - **Principle of Least Privilege**: Only share with the specific AWS account that needs access - **KMS Key Policy**: Must explicitly grant permissions to the target account - **AMI Permissions**: Use `launchPermission` to control who can launch instances from the AMI - **No Public Sharing**: Never make sensitive AMIs publicly available **AWS Best Practices:** 1. Share AMIs only with specific accounts 2. Ensure KMS key policies grant necessary permissions to target accounts 3. Use IAM policies to control who can modify AMI attributes 4. Monitor AMI sharing activities through AWS CloudTrail
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company recently signed a contract with an AWS Managed Service Provider (MSP) Partner for help with an application migration initiative. A solutions architect needs to share an Amazon Machine Image (AMI) from an existing AWS account with the MSP Partner's AWS account. The AMI is backed by Amazon Elastic Block Store (Amazon EBS) and uses an AWS Key Management Service (AWS KMS) customer managed key to encrypt EBS volume snapshots.
What is the MOST secure way for the solutions architect to share the AMI with the MSP Partner's AWS account?
A
Make the encrypted AMI and snapshots publicly available. Modify the key policy to allow the MSP Partner's AWS account to use the key.
B
Modify the launchPermission property of the AMI. Share the AMI with the MSP Partner's AWS account only. Modify the key policy to allow the MSP Partner's AWS account to use the key.
C
Modify the launchPermission property of the AMI. Share the AMI with the MSP Partner's AWS account only. Modify the key policy to trust a new KMS key that is owned by the MSP Partner for encryption.
D
Export the AMI from the source account to an Amazon S3 bucket in the MSP Partner's AWS account, Encrypt the S3 bucket with a new KMS key that is owned by the MSP Partner. Copy and launch the AMI in the MSP Partner's AWS account.