AWS Certified Security – Specialty — Question 424

A security team is using Amazon EC2 Image Builder to build a hardened AMI with forensic capabilities. An AWS Key Management Service (AWS KMS) key will encrypt the forensic AMI. EC2 Image Builder successfully installs the required patches and packages in the security team’s AWS account. The security team uses a federated IAM role in the same AWS account to sign in to the AWS Management Console and attempts to launch the forensic AMI. The EC2 instance launches and immediately terminates.

What should the security team do to launch the EC2 instance successfully?

Answer options

• A. Update the policy that is associated with the federated IAM role to allow the ec2:DescribeImages action for the forensic AML.
• B. Update the policy that is associated with the federated IAM role to allow the ec2:StartInstances action in the security team's AWS account.
• C. Update the policy that is associated with the KMS key that is used to encrypt the forensic AMI. Configure the policy to allow the kms:Encrypt and kms:Decrypt actions for the federated IAM role.
• D. Update the policy that is associated with the federated IAM role to allow the kms:DescribeKey action for the KMS key that is used to encrypt the forensic AMI.

Correct answer: C

Explanation

When an EC2 instance launched from an encrypted AMI immediately terminates, it is typically because the IAM principal attempting the launch lacks the required permissions to use the AWS KMS key that decrypts the root volume. To resolve this, the KMS key policy must be updated to explicitly grant the federated IAM role permissions for cryptographic operations like kms:Encrypt and kms:Decrypt. Other actions, such as ec2:DescribeImages or kms:DescribeKey, do not provide the necessary decryption capabilities required during the instance boot sequence.