AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 11

A company must encrypt all AMIs that the company shares across accounts. A DevOps engineer has access to a source account where an unencrypted custom AMI has been built. The DevOps engineer also has access to a target account where an Amazon EC2 Auto Scaling group will launch EC2 instances from the AMI. The DevOps engineer must share the AMI with the target account.
The company has created an AWS Key Management Service (AWS KMS) key in the source account.
Which additional steps should the DevOps engineer perform to meet the requirements? (Choose three.)

Answer options

• A. In the source account, copy the unencrypted AMI to an encrypted AMI. Specify the KMS key in the copy action.
• B. In the source account, copy the unencrypted AMI to an encrypted AMI. Specify the default Amazon Elastic Block Store (Amazon EBS) encryption key in the copy action.
• C. In the source account, create a KMS grant that delegates permissions to the Auto Scaling group service-linked role in the target account.
• D. In the source account, modify the key policy to give the target account permissions to create a grant. In the target account, create a KMS grant that delegates permissions to the Auto Scaling group service-linked role.
• E. In the source account, share the unencrypted AMI with the target account.
• F. In the source account, share the encrypted AMI with the target account.

Correct answer: A, D, F

Explanation

The correct answer includes steps that ensure the AMI is encrypted and shared securely. Option A is necessary to create an encrypted AMI using the specified KMS key. Option D is essential for modifying permissions so that the target account can utilize the KMS key for decryption. Option F is correct because it allows the encrypted AMI to be shared with the target account, maintaining compliance with the encryption requirement. Options B, C, and E do not fulfill the requirements for encryption and permissions adequately.