AWS Certified Security – Specialty (SCS-C02) — Question 32

A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots. The company uses an AWS Key Management Service (AWS KMS) customer managed key to encrypt all Amazon Elastic Block Store (Amazon EBS) snapshots.
The company performs a gap analysis of its disaster recovery procedures and backup strategies. A security engineer needs to implement a solution so that the company can recover the EC2 instances if the AWS account is compromised and the EBS snapshots are deleted.
Which solution will meet this requirement?

Answer options

• A. Create a new Amazon S3 bucket. Use EBS lifecycle policies to move EBS snapshots to the new S3 bucket. Use lifecycle policies to move snapshots to the S3 Glacier Instant Retrieval storage class. Use S3 Object Lock to prevent deletion of the snapshots.
• B. Use AWS Systems Manager to distribute a configuration that backs up all attached disks to Amazon S3.
• C. Create a new AWS account that has limited privileges. Allow the new account to access the KMS key that encrypts the EBS snapshots. Copy the encrypted snapshots to the new account on a recurring basis.
• D. Use AWS Backup to copy EBS snapshots to Amazon S3. Use S3 Object Lock to prevent deletion of the snapshots.

Correct answer: C

Explanation

The correct answer is C because creating a new AWS account with limited privileges ensures that even if the original account is compromised, the snapshots remain secure in the new account. Options A and D do not address the requirement of protecting the snapshots from a compromised account, and option B does not provide a method for safeguarding the backups from deletion.