AWS Certified Database – Specialty — Question 338

A company's application development team wants to share an automated snapshot of its Amazon RDS database with another team. The database is encrypted with a custom AWS Key Management Service (AWS KMS) key under the "WeShare" AWS account. The application development team needs to share the DB snapshot under the "WeReceive" AWS account.
Which combination of actions must the application development team take to meet these requirements? (Choose two.)

Answer options

• A. Add access from the "WeReceive" account to the custom AWS KMS key policy of the sharing team.
• B. Make a copy of the DB snapshot, and set the encryption option to disable.
• C. Share the DB snapshot by setting the DB snapshot visibility option to public.
• D. Make a copy of the DB snapshot, and set the encryption option to enable.
• E. Share the DB snapshot by using the default AWS KMS encryption key.

Correct answer: A, D

Explanation

To share an encrypted Amazon RDS snapshot with another AWS account, you cannot share an automated snapshot directly; you must first copy it to a manual snapshot while keeping encryption enabled. Additionally, because the snapshot is encrypted with a custom AWS KMS key, the sharing account ('WeShare') must grant the receiving account ('WeReceive') permissions to use that custom KMS key by updating its key policy. You cannot share snapshots encrypted with the default AWS managed KMS key, nor can you share encrypted snapshots publicly.