
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company recently signed a contract with an AWS Managed Service Provider (MSP) Partner for help with an application migration initiative. A solutions architect needs to share an Amazon Machine Image (AMI) from an existing AWS account with the MSP Partner's AWS account. The AMI is backed by Amazon Elastic Block Store (Amazon EBS) and uses an AWS Key Management Service (AWS KMS) customer managed key to encrypt EBS volume snapshots.
What is the MOST secure way for the solutions architect to share the AMI with the MSP Partner's AWS account?
A
Make the encrypted AMI and snapshots publicly available. Modify the key policy to allow the MSP Partner's AWS account to use the key.
B
Modify the launchPermission property of the AMI. Share the AMI with the MSP Partner's AWS account only. Modify the key policy to allow the MSP Partner's AWS account to use the key.
C
Modify the launchPermission property of the AMI. Share the AMI with the MSP Partner's AWS account only. Modify the key policy to trust a new KMS key that is owned by the MSP Partner for encryption.
D
Export the AMI from the source account to an Amazon S3 bucket in the MSP Partner's AWS account, Encrypt the S3 bucket with a new KMS key that is owned by the MSP Partner. Copy and launch the AMI in the MSP Partner's AWS account.
Explanation:
Correct Answer: B
When sharing an encrypted AMI with another AWS account, two key steps are required:
Share the AMI: Modify the launchPermission property of the AMI to grant launch permissions to the specific AWS account (MSP Partner's account). This is done using the ModifyImageAttribute API or through the AWS Management Console.
Share the KMS key: Modify the key policy of the customer managed KMS key to allow the MSP Partner's AWS account to use the key for decryption. Without this step, the MSP Partner cannot decrypt the EBS snapshots that back the AMI.
Why other options are incorrect:
Option A: Making the AMI publicly available is NOT secure. This exposes the AMI to all AWS accounts, not just the MSP Partner's account.
Option C: Modifying the key policy to "trust a new KMS key" is incorrect. KMS keys cannot be configured to trust other KMS keys in this way. The MSP Partner needs permission to use the existing KMS key, not to create a trust relationship between keys.
Option D: Exporting to S3 and re-encrypting is unnecessarily complex and introduces additional steps. It also requires the MSP Partner to have permissions to copy and launch the AMI from S3, which adds complexity without security benefits.
Key Security Considerations:
launchPermission to control who can launch instances from the AMIAWS Best Practices: