AWS Certified Developer – Associate (DVA-C02) — Question 537

A company uses two AWS accounts: production and development. The company stores data in an Amazon S3 bucket that is in the production account. The data is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. The company plans to copy the data to another S3 bucket that is in the development account.

A developer needs to use a KMS key to encrypt the data in the S3 bucket that is in the development account. The KMS key in the development account must be accessible from the production account,

Which solution will meet these requirements?

Answer options

• A. Replicate the customer managed KMS key from the production account to the development account. Specify the production account in the key policy.
• B. Create a new customer managed KMS key in the development account. Specify the production account in the key policy.
• C. Create a new AWS managed KMS key for Amazon S3 in the development account. Specify the production account in the key policy.
• D. Replicate the default AWS managed KMS key for Amazon S3 from the production account to the development account. Specify the production account in the key policy.

Correct answer: B

Explanation

To enable cross-account access to an AWS KMS key, you must use a customer managed key because AWS managed keys do not allow their key policies to be modified for cross-account access. Creating a new customer managed key in the destination development account and updating its key policy to trust the production account allows the production account to write the copied data. Options involving AWS managed keys or direct replication of keys across accounts are not supported for this use case.