A company stores confidential data in an Amazon Aurora PostgreSQL database in the ap-southeast-3 Region, encrypted with an AWS KMS customer managed key. The company was acquired and must securely share a backup of the database with the acquiring company’s AWS account in ap-southeast-3. What should a solutions architect do to meet these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Create a database snapshot. Add the acquiring company’s AWS account to the KMS key policy. Share the snapshot with the acquiring company’s AWS account..
Why this is the answer
The correct approach is to create a database snapshot and then modify the KMS key policy to grant the acquiring company's AWS account permission to use the customer managed key (CMK). This allows the acquiring company to restore the encrypted snapshot in their own account. Sharing an encrypted snapshot directly requires the recipient account to have access to the KMS key used for encryption. Incorrect options: Copying to an unencrypted snapshot would violate the requirement for securely sharing confidential data. Using a different AWS managed KMS key or adding the account to a KMS key alias does not grant the necessary permissions to the original CMK used for the snapshot. Aliases are pointers to keys, not keys themselves, and AWS managed keys cannot have their policies directly modified for cross-account sharing in this manner. Downloading and re-uploading the snapshot to S3 is an overly complex and inefficient process for Aurora snapshots, which are managed differently than file-based backups. It also introduces potential security risks during transfer and requires manual management of data, which is not ideal for large databases.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed