A company uses AWS Organizations. The security organizational unit (OU) needs to share approved Amazon Machine Images (AMIs) with the development OU. The AMIs are created from AWS KMS-encrypted snapshots. Which solutions meet these requirements? (Choose two.)
Choose an answer
Tap an option to check your answer.
Correct answer: Add the development team's OU Amazon Resource Name (ARN) to the launch permission list for the AMIs., Update the AWS KMS key policy to allow the development team's OU to use the AWS KMS keys that decrypt the snapshots..
Why this is the answer
To share an AMI encrypted with a customer managed key (CMK) across accounts in AWS Organizations, two conditions must be met. First, the AMI's launch permissions must allow the target accounts (or the OU containing them) to launch instances from it. Adding the development OU's ARN to the launch permission list achieves this. Second, the AWS KMS key policy used to encrypt the AMI's underlying snapshots must grant permission to the target accounts (or the OU) to decrypt the data. Updating the KMS key policy to allow the development OU to use the keys fulfills this requirement. Adding the Organizations root ARN to launch permissions would be too broad and not specific to the development OU. Recreating the KMS key is unnecessary; an existing key policy can be updated.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed