AWS Certified SysOps Administrator – Associate (legacy) — Question 902

An existing data management application is running on a single Amazon EC2 instance and needs to be moved to a new AWS Region in another AWS account.
How can a SysOps Administrator achieve this while maintaining the security of the application?

Answer options

• A. Create an encrypted Amazon Machine Image (AMI) of the instance and make it public to allow the other account to search and launch an instance from it.
• B. Create an AMI of the instance, add permissions for the AMI to the other AWS account, and start a new instance in the new region by using that AMI.
• C. Create an AMI of the instance, copy the AMI to the new region, add permissions for the AMI to the other AWS account, and start new instance.
• D. Create an encrypted snapshot of the instance and make it public. Provide only permissions to decrypt to the other AWS account.

Correct answer: B

Explanation

To securely share an Amazon Machine Image (AMI) with another AWS account, launch permissions must be explicitly granted to the target account ID instead of making the resource public. Making an AMI or snapshot public, as suggested in options A and D, exposes sensitive application data and violates security best practices. Once the AMI is shared securely with the destination account, it can be used to launch the new EC2 instance in the target environment.