AWS Certified SysOps Administrator – Associate — Question 461

A SysOps administrator has an AWS CloudFormation template that is used to deploy an encrypted Amazon Machine Image (AMI). The CloudFormation template will be used in a second account so the SysOps administrator copies the encrypted AMI to the second account. When launching the new CloudFormation stack in the second account, it fails.
Which action should the SysOps administrator take to correct the issue?

Answer options

• A. Change the AMI permissions to mark the AMI as public.
• B. Deregister the AMI in the source account.
• C. Re-encrypt the destination AMI with an AWS Key Management Service (AWS KMS) key from the destination account.
• D. Update the CloudFormation template with the ID of the AMI in the destination account.

Correct answer: C

Explanation

To successfully launch an instance from an encrypted AMI in a destination account, the destination account must have the appropriate permissions to decrypt the AMI. Re-encrypting the copied AMI with an AWS KMS key from the destination account ensures that the target account has full access and control over the encryption key needed to launch the instance. Making an encrypted AMI public is not allowed by AWS, and deregistering the source AMI or simply changing the ID in the template does not solve the underlying KMS key permission issue.