AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company stores confidential data in an Amazon Aurora PostgreSQL database in the ap-southeast-3 Region. The database is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. The company was recently acquired and must securely share a backup of the database with the acquiring company's AWS account in ap-southeast-3.
What should a solutions architect do to meet these requirements?
Other
Community
UAnonymous
A
Create a database snapshot. Copy the snapshot to a new unencrypted snapshot. Share the new snapshot with the acquiring company’s AWS account.
B
Create a database snapshot. Add the acquiring company’s AWS account to the KMS key policy. Share the snapshot with the acquiring company’s AWS account.
C
Create a database snapshot that uses a different AWS managed KMS key. Add the acquiring company’s AWS account to the KMS key alias. Share the snapshot with the acquiring company’s AWS account.
D
Create a database snapshot. Download the database snapshot. Upload the database snapshot to an Amazon S3 bucket. Update the S3 bucket policy to allow access from the acquiring company’s AWS account.
Explanation:
Explanation
Correct Answer: B
When sharing encrypted Amazon Aurora database snapshots between AWS accounts, the target account must have access to the KMS key used to encrypt the snapshot. Here's why option B is correct:
-
Database snapshots inherit encryption: When you create a snapshot of an encrypted Aurora database, the snapshot is also encrypted with the same KMS key.
-
KMS key access is required: For another AWS account to access and restore an encrypted snapshot, that account must have permission to use the KMS key that encrypted the snapshot.
-
Key policy modification: Adding the acquiring company's AWS account to the KMS key policy grants them the necessary permissions to use the key for cryptographic operations.
-
Snapshot sharing: After modifying the key policy, you can share the snapshot with the target AWS account using the AWS Management Console, CLI, or API.
Why other options are incorrect:
- Option A: Creating an unencrypted snapshot would remove encryption, which violates security requirements for confidential data.
- Option C: Using a different KMS key would require re-encryption and doesn't address the core issue of key access. Also, key aliases are not used for cross-account access control.
- Option D: Downloading and uploading to S3 is inefficient, introduces security risks during transfer, and doesn't preserve the database snapshot format that can be directly restored to Aurora.
Best Practice: Always maintain encryption for confidential data and properly manage KMS key policies for cross-account sharing scenarios.
Comments
Loading comments...