AWS Certified Security – Specialty — Question 235

A company needs its Amazon Elastic Block Store (Amazon EBS) volumes to be encrypted at all times. During a security incident, EBS snapshots of suspicious instances are shared to a forensics account for analysis. A security engineer attempting to share a suspicious EBS snapshot to the forensics account receives the following error:
`Unable to share snapshot. An error occurred (OperationNotPermitted) when calling the ModifySnapshotAttribute operation: Encrypted snapshots with EBS default key cannot be shared`
Which combination of steps should the security engineer take in the incident account to complete the sharing operation? (Choose three.)

Answer options

• A. Create a customer managed CMK. Copy the EBS snapshot encrypting the destination snapshot using the new CMK.
• B. Allow forensics accounting principals to use the CMK by modifying its policy.
• C. Create an Amazon EC2 instance. Attach the encrypted and suspicious EBS volume. Copy data from the suspicious volume to an unencrypted volume. Snapshot the unencrypted volume.
• D. Copy the EBS snapshot to the new decrypted snapshot.
• E. Restore a volume from the suspicious EBS snapshot. Create an unencrypted EBS volume of the same size.
• F. Share the target EBS snapshot with the forensics account.

Correct answer: A, B, F

Explanation

The correct steps involve creating a customer managed CMK to encrypt the snapshot, allowing the forensics account to use that key, and finally sharing the snapshot. Options C, D, and E do not address the requirement to maintain encryption or are not necessary steps for sharing the snapshot with the forensics account.