A database contains highly sensitive data. The company wants to ensure that if a snapshot of the database is shared with another AWS account, the receiving account cannot access the data unless explicitly authorized by the security team. How should the snapshot be encrypted?

Answer options:

Encrypt the database using the AWS managed key (aws/rds).

Encrypt the database using a Customer Managed Key (CMK) in AWS KMS.

Do not encrypt the database, but use IAM policies to restrict snapshot sharing.

Use Transparent Data Encryption (TDE) with a key stored in Parameter Store.

How to approach this question

Remember that to share encrypted snapshots across accounts, you MUST use a Customer Managed Key (CMK), not an AWS managed key.

Full Answer

B.Encrypt the database using a Customer Managed Key (CMK) in AWS KMS.✓ Correct

You can only share encrypted snapshots if they are encrypted using a Customer Managed Key (CMK). You cannot share snapshots encrypted with the default AWS managed key.

Common mistakes

Assuming AWS managed keys can be used for cross-account sharing.

Question 19 All questions Question 21

Practice the full AWS SAA-C03 Practice Exam 7

65 questions · hints · full answers · grading

More questions from this exam

Q01A company has multiple AWS accounts in an AWS Organizations organization. The security team needs...Medium Q02An application runs on Amazon EC2 instances and needs to access an Amazon S3 bucket. What is the ...Easy Q03A company wants to implement federated access to the AWS Management Console for its employees usi...Medium Q04A company is building a mobile application that requires users to sign in using their social medi...Easy Q05A security team wants to enforce MFA for all IAM users before they can terminate EC2 instances. H...Medium

View all 65 questions →