AWS Certified Solutions Architect – Associate (SAA-C03) — Question 348

A company stores confidential data in an Amazon Aurora PostgreSQL database in the ap-southeast-3 Region. The database is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. The company was recently acquired and must securely share a backup of the database with the acquiring company’s AWS account in ap-southeast-3.

What should a solutions architect do to meet these requirements?

Answer options

• A. Create a database snapshot. Copy the snapshot to a new unencrypted snapshot. Share the new snapshot with the acquiring company’s AWS account.
• B. Create a database snapshot. Add the acquiring company’s AWS account to the KMS key policy. Share the snapshot with the acquiring company’s AWS account.
• C. Create a database snapshot that uses a different AWS managed KMS key. Add the acquiring company’s AWS account to the KMS key alias. Share the snapshot with the acquiring company's AWS account.
• D. Create a database snapshot. Download the database snapshot. Upload the database snapshot to an Amazon S3 bucket. Update the S3 bucket policy to allow access from the acquiring company’s AWS account.

Correct answer: B

Explanation

To share an encrypted Amazon Aurora database snapshot across AWS accounts, the snapshot must be shared directly, and the target account must have permissions to use the customer managed KMS key that encrypts the snapshot. This is achieved by adding the target account to the KMS key policy of the customer managed key. AWS managed KMS keys cannot be shared across accounts, and snapshots cannot be unencrypted during a direct copy or downloaded as local files for S3 migration.