AWS Certified Solutions Architect – Associate (SAA-C03) — Question 732

A company uses AWS Organizations for its multi-account AWS setup. The security organizational unit (OU) of the company needs to share approved Amazon Machine Images (AMIs) with the development OU. The AMIs are created by using AWS Key Management Service (AWS KMS) encrypted snapshots.

Which solution will meet these requirements? (Choose two.)

Answer options

• A. Add the development team's OU Amazon Resource Name (ARN) to the launch permission list for the AMIs.
• B. Add the Organizations root Amazon Resource Name (ARN) to the launch permission list for the AMIs.
• C. Update the key policy to allow the development team's OU to use the AWS KMS keys that are used to decrypt the snapshots.
• D. Add the development team’s account Amazon Resource Name (ARN) to the launch permission list for the AMIs.
• E. Recreate the AWS KMS key. Add a key policy to allow the Organizations root Amazon Resource Name (ARN) to use the AWS KMS key.

Correct answer: A, C

Explanation

To share encrypted AMIs within AWS Organizations, you can directly share the AMI with the target Organizational Unit (OU) by adding the OU's ARN to the AMI's launch permissions. Additionally, because the underlying snapshots are encrypted, the key policy of the AWS KMS key must be updated to grant the development OU permissions to decrypt the snapshots. Sharing with the root OU or recreating the KMS key is unnecessary and does not follow the principle of least privilege.