AWS Certified Security – Specialty — Question 337

A company has an organization in AWS Organizations. The company’s security team is developing automation to capture Amazon EC2 forensic evidence within any AWS account in the organization. The company has encrypted the Amazon Elastic Block Store (Amazon EBS) volumes of all the EC2 instances in the organization by default by using the AWS managed key. The automation consists of AWS Lambda functions and AWS Step Functions state machines.

The automation assumes an IAM role in the target AWS account. The automation takes snapshots of suspicious EC2 instances and assigns permissions to allow the security team’s account to copy the snapshots. The security team has an AWS Key Management Service (AWS KMS) key to encrypt the snapshots. During testing, the automation fails to copy the snapshots into the security team's AWS account.

Which combination of steps should the security team take so that the automation can capture EC2 forensic evidence in all AWS accounts in the organization? (Choose three.)

Answer options

• A. In the target AWS account, update the KMS key policy on the AWS managed key to explicitly allow the kms:Decrypt and kms:CreateGrant actions to the automation’s IAM role.
• B. In the target AWS account, create a customer managed KMS key. Update the automation’s IAM role to allow the kms:Encrypt, kms:Decrypt, kms:GenerateDataKey*, and kms:CreateGrant actions.
• C. In the security team's AWS account, update the automation’s IAM role to allow the kms:Encrypt, kms:Decrypt, kms:GenerateDataKey*, and kms:CreateGrant actions for the AWS managed key.
• D. In the security team’s AWS account, update the automation’s IAM role to allow the kms:Encrypt, kms:Decrypt, kms:GenerateDataKey*, and kms:CreateGrant actions for the customer managed KMS key.
• E. In the security team's AWS account, update the automation code to take EBS snapshots and to use the AWS managed key.
• F. In the security team's AWS account, update the automation code to take EBS snapshots and to use the customer managed KMS key.

Correct answer: B, D, F

Explanation

The correct steps involve creating a customer managed KMS key in the target account and updating the IAM role to allow necessary KMS actions (B). Additionally, the security team must modify their IAM role in their account to permit KMS actions on the customer managed KMS key (D) and adjust their automation code to use that key (F). The other options do not adequately address the permissions or key management required for successful snapshot copying.