AWS Certified Security – Specialty — Question 464

A company needs its Amazon Elastic Block Store (Amazon EBS) volumes to be encrypted at all times. During a security incident, a security engineer attempts to share a snapshot of a suspicious EBS volume to the company's forensics account for analysis. The security engineer receives the following error:

"Unable to share snapshot: An error occurred (OperationNotPermitted) when calling the ModifySnapshotAttribute operation: Encrypted snapshots with EBS default key cannot be shared."

Which combination of steps should the security engineer take in the incident account to complete the sharing operation? (Choose three.)

Answer options

• A. Create an AWS Key Management Service (AWS KMS) customer managed key. Copy the snapshot of the suspicious EBS volume. Encrypt the copy of the snapshot by using the new KMS key.
• B. Allow principals in the forensics account to use the AWS Key Management Service (AWS KMS) customer managed key by modifying the key policy.
• C. Launch an Amazon EC2 instance. Attach the encrypted and suspicious EBS volume. Copy the data from the suspicious EBS volume to an unencrypted EBS volume. Create a snapshot of the unencrypted EBS volume.
• D. Copy the snapshot to the new decrypted snapshot.
• E. Restore an EBS volume from the snapshot of the suspicious EBS volume. Create an unencrypted EBS volume of the same size.
• F. Share the encrypted snapshot with the forensics account.

Correct answer: A, B, F

Explanation

Amazon EBS snapshots encrypted with the default AWS managed KMS key cannot be shared with other AWS accounts. To resolve this, the engineer must copy the snapshot and re-encrypt it using a custom KMS customer managed key (CMK), modify the key policy of this CMK to grant decryption permissions to the forensics account, and then share the custom-encrypted snapshot. Unencrypted volumes or snapshots should not be created as the scenario specifies that EBS volumes must be encrypted at all times.