AWS Certified Security – Specialty — Question 280

A company has recently recovered from a security incident that required the restoration of Amazon EC2 instances from snapshots.
After performing a gap analysis of its disaster recovery procedures and backup strategies, the company is concerned that, next time, it will not be able to recover the EC2 instances if the AWS account was compromised and Amazon EBS snapshots were deleted.
All EBS snapshots are encrypted using an AWS KMS CMK.
Which solution would solve this problem?

Answer options

• A. Create a new Amazon S3 bucket. Use EBS lifecycle policies to move EBS snapshots to the new S3 bucket. Move snapshots to Amazon S3 Glacier using lifecycle policies, and apply Glacier Vault Lock policies to prevent deletion.
• B. Use AWS Systems Manager to distribute a configuration that performs local backups of all attached disks to Amazon S3.
• C. Create a new AWS account with limited privileges. Allow the new account to access the AWS KMS key used to encrypt the EBS snapshots, and copy the encrypted snapshots to the new account on a recurring basis.
• D. Use AWS Backup to copy EBS snapshots to Amazon S3.

Correct answer: C

Explanation

Copying the encrypted EBS snapshots to a separate, isolated AWS account with restricted access ensures that the backups remain secure even if the primary account is completely compromised. To facilitate this cross-account copy of encrypted snapshots, the destination account must be granted permissions to use the AWS KMS CMK from the source account. The other options are incorrect because they either keep the backups within the same compromised account, or suggest unsupported technical configurations like using EBS lifecycle policies to move snapshots directly to Amazon S3.