AWS Certified Security – Specialty — Question 403

A company sends Amazon RDS snapshots to two accounts as part of its disaster recovery (DR) plan. The snapshots must be encrypted. However, each account needs to be able to decrypt the snapshots in case of a DR event.

Which solution will meet these requirements?

Answer options

• A. Use the default AWS Key Management Service (AWS KMS) key to generate the snapshots. Create an AWS Lambda function that copies the KMS encryption key to the two accounts.
• B. Use an AWS Key Management Service (AWS KMS) customer managed key to generate the snapshots. Create an AWS Lambda function that imports the KMS key in the two accounts.
• C. Use the default AWS Key Management Service (AWS KMS) key to generate the snapshots. Share the KMS key with the two accounts by using an IAM principal that has the proper KMS permissions in each account.
• D. Use an AWS Key Management Service (AWS KMS) customer managed key to generate the snapshots. Share the KMS key with the two accounts by using an IAM principal that has the proper KMS permissions in each account.

Correct answer: D

Explanation

Default AWS KMS keys (AWS-managed keys) cannot be shared with other AWS accounts, making options A and C incorrect. Additionally, KMS keys cannot be copied or imported between accounts using Lambda as suggested in option B. Creating a customer managed key and modifying its key policy to grant cross-account access to IAM principals in the target accounts is the correct way to allow those accounts to decrypt the shared Amazon RDS snapshots.