AWS Certified Security – Specialty (SCS-C03) — Question 32

A company sands Amazon RDS snapshots to two accounts as part of its disaster recovery (DR) plan. The snapshots must be encrypted. However, each account needs to be able to decrypt the snapshots in case of a DR event.
Which solution will meet these requirements?

Answer options

• A. Use the default AWS Key Management Sen/ice (AWS KMS) key to generate the snapshots. Create an AWS Lambda function that copies the KMS encryption key to the two accounts.
• B. Use an AWS Key Management Service (AWS KMS) customer managed key to generate the snapshots. Create an AWS Lambda function that imports the KMS key in the two accounts.
• C. Use the default AWS Key Management Service (AWS KMS) key to generate the snapshots. Share the KMS key with the two accounts by using an IAM principal that has the proper KMS permissions in each account.
• D. Use an AWS Key Management Service (AWS KMS) customer managed key to generate the snapshots. Share the KMS key with the two accounts by using an IAM principal that has the proper KMS permissions in each account.

Correct answer: D

Explanation

The correct answer is D because using a customer managed key allows for more controlled access and sharing between accounts, which is essential for the decryption needs during a disaster recovery event. Options A and B do not provide a method for sharing the KMS key securely across accounts, while option C uses the default KMS key, which cannot be shared in the same way as a customer managed key.