A company engaged an AWS Managed Service Provider (MSP) Partner to assist with a migration. A solutions architect must share an Amazon Machine Image (AMI) from the company's AWS account with the MSP Partner's AWS account. The AMI is EBS-backed and its EBS snapshots are encrypted with a customer-managed AWS KMS key. What is the MOST secure way to share the AMI with the MSP Partner's AWS account?
Choose an answer
Tap an option to check your answer.
Correct answer: Modify the launchPermission property of the AMI. Share the AMI with the MSP Partner's AWS account only. Modify the key policy to allow the MSP Partner's AWS account to use the key..
Why this is the answer
The most secure way to share an encrypted AMI is to grant explicit permissions. Modifying the launchPermission property of the AMI allows the MSP Partner's AWS account to launch EC2 instances from the AMI. Since the AMI is encrypted with a customer-managed KMS key, the key policy must also be updated to allow the MSP Partner's AWS account to decrypt and use the key. This method ensures that only the specified account can access and use the AMI, maintaining security. Making the AMI publicly available is insecure as it allows anyone to launch instances from it. Exporting the AMI to S3 and then importing it is a more complex and less direct method for sharing an AMI, especially when encryption is involved. Trusting a new KMS key owned by the MSP Partner for encryption isn't necessary; the existing key can be shared securely.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed