A developer wants to expand an application to run in multiple AWS Regions. The developer wants to copy Amazon Machine Images (AMIs) with the latest changes and create a new application stack in the destination Region. According to company requirements, all AMIs must be encrypted in all Regions. However, not all the AMIs that the company uses are encrypted.
How can the developer expand the application to run in the destination Region while meeting the encryption requirement?
To meet the encryption requirement for all AMIs in all Regions, the developer must create new AMIs with specified encryption parameters. This ensures that the AMIs are encrypted before they are copied to the destination Region. Any existing unencrypted AMIs should then be deleted to maintain compliance. This method ensures that the encryption is applied at the time of AMI creation, guaranteeing all AMIs are encrypted as required.
A. Create new AMIs, and specify encryption parameters. Copy the encrypted AMIs to the destination Region. Delete the unencrypted AMIs. The best solution for meeting the encryption requirement is to create new AMIs with encryption enabled and copy them to the destination Region. By default, when an AMI is copied to another Region, it is not encrypted in the destination Region even if it is encrypted in the source Region. Therefore, the developer must create new encrypted AMIs that can be used in the destination Region. Once the new encrypted AMIs have been created, they can be copied to the destination Region. The unencrypted AMIs can then be deleted to ensure that all instances running in all Regions are using only encrypted AMIs.
A is correct. Unencrypted AMI can't be encrypted after creation. Need to create new encrypted AMI then it can be copied to other regions.
Encryption of an Amazon Machine Image (AMI) is typically tied to the underlying Amazon Elastic Block Store (EBS) snapshots that are associated with the AMI. When you create an AMI, you have the option to specify encryption parameters. If you choose to encrypt the root volume, the resulting AMI will be encrypted. This encryption setting applies to both the root volume and any additional EBS volumes attached to the instance. The encryption status of an EBS snapshot is determined at the time of snapshot creation. Once a snapshot is created, its encryption status remains constant. If you want to encrypt a snapshot, you typically need to create a new snapshot from an encrypted volume. Once an AMI is created, you generally cannot modify its encryption status directly. If you need to change the encryption status, you might need to create a new AMI from an encrypted snapshot.
Answer A For any AMI copy to be encrypted the source AMI should be Encrypted first , You cant encrypt the copy of the AMI if the source Is not Encrypted
C ACM is about SSL/TLS D Even if assumed that "encryption by default" is enabled in the destination before copy, original AMI is still not encrypted, so condition "AMIs must be encrypted in all Regions" is not met. B I don't see any option in AWS Console or docs to encrypt in place existing AMI. It can be done when copying it. Option B doesn't handle existing unencrypted AMIs. A I think, A is the best description of the procedure.
I would go with D: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default Solves must be encrypted issue once and for all plus you can copy unencrypted to encrypted
it still keeps the unencrypted AMI untouched. You have to delete them but not mentioned as explicit as A
A When you create an encrypted AMI and do not specify the KMS key, AWS will use the default Customer Managed Key which is the only multi-region key. If you select a KMS key from the origin region it will not work in the destination region (presently) so B is not correct.
Answer is B check this link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html#ami-copy-encryption
If you read this link carefully it actually proves that B is wrong. The correct answer is A. You cannot enable encryption on an unencrypted AMI. ---> an AMI backed by an unencrypted root snapshot is copied to an AMI with an encrypted root snapshot. The CopyImage action is invoked with two encryption parameters, including a customer managed key. As a result, the encryption status of the root snapshot changes, so that the target AMI is backed by a root snapshot containing the same data as the source snapshot, but encrypted using the specified key.
Here's why option B is the appropriate choice: AWS KMS Encryption: AWS KMS is a service that allows you to easily enable encryption for your resources, including Amazon Machine Images (AMIs). You can create a customer managed key (CMK) in AWS KMS and use it to encrypt your AMIs. Enable Encryption on Unencrypted AMIs: You can enable encryption for unencrypted AMIs by creating a copy of the AMI and specifying the AWS KMS key to use for encryption during the copy process. This ensures that your new AMIs in the destination Region are encrypted. Maintain Data Integrity: This approach allows you to maintain data integrity and ensure that all AMIs are encrypted in compliance with company requirements.
Copy an unencrypted source AMI to an encrypted target AMI In this scenario, an AMI backed by an unencrypted root snapshot is copied to an AMI with an encrypted root snapshot. The CopyImage action is invoked with two encryption parameters, including a customer managed key. As a result, the encryption status of the root snapshot changes, so that the target AMI is backed by a root snapshot containing the same data as the source snapshot, but encrypted using the specified key. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html#AMI-encryption-copy "Copy-image behaviors with both Encrypted and KmsKeyId set: An unencrypted snapshot is copied to a snapshot encrypted by the specified KMS key."
B is wrong. Going with A You just cant use KMS to encrypt and unencrypted snapshot, you'll need to first create a vol from the snapshot and select the option to encrypt it. Making A the correct answer.
I think it's A. Option D is also correct, but in this case, your source AMI stay unencrypted. Options B and C - are incorrect, you can't just encrypt existing unencrypted AMI or create encrypted AMI from unencrypted EC2.
Option A ensures all AMIs are encrypted before they are copied to the destination region, meeting the encryption requirement and providing a clear and compliant process for expanding the application to multiple AWS Regions.
A is the correct answer.
A.This approach ensures that all AMIs are encrypted using specified encryption parameters before they are copied to the destination Region, aligning with the company's encryption requirement. AWS provides the capability to encrypt AMIs during the AMI creation process and when copying AMIs between Regions. You can specify an AWS Key Management Service (AWS KMS) customer master key (CMK) during these processes to use for encryption, meeting the requirement to use a company-generated key.
kms keys is regional,so when you use kms before you copy to another region,the second region still has the unencryed AMIs.so B is not correct
A. Is the correct answer.