Learn how to copy and encrypt Amazon Machine Images (AMIs) across different AWS Regions when expanding an application to run in multiple locations. Discover the best practices and steps for this process.
Table of Contents
Question
A developer wants to expand an application to run in multiple AWS Regions. The developer wants to copy Amazon Machine Images (AMIs) with the latest changes and create a new application stack in the destination Region. According to company requirements, all AMIs must be encrypted in all Regions.
However, not all the AMIs that the company uses are encrypted.
How can the developer expand the application to run in the destination Region while meeting the encryption requirement?
A. Create new AMIs, and specify encryption parameters. Copy the encrypted AMIs to the destination Region. Delete the unencrypted AMIs.
B. Use AWS Key Management Service (AWS KMS) to enable encryption on the unencrypted AMIs. Copy the encrypted AMIs to the destination Region.
C. Use AWS Certificate Manager (ACM) to enable encryption on the unencrypted AMIs. Copy the encrypted AMIs to the destination Region.
D. Copy the unencrypted AMIs to the destination Region. Enable encryption by default in the destination Region.
Answer
A. Create new AMIs, and specify encryption parameters. Copy the encrypted AMIs to the destination Region. Delete the unencrypted AMIs.
Explanation
The correct answer is A. Create new AMIs, and specify encryption parameters. Copy the encrypted AMIs to the destination Region. Delete the unencrypted AMIs.
This solution will meet the encryption requirement because it will ensure that all AMIs are encrypted in all Regions. The developer can use the AWS Management Console, AWS Command Line Interface (AWS CLI), or AWS SDKs to create new AMIs from the existing unencrypted AMIs and specify encryption parameters. The developer can use AWS Key Management Service (AWS KMS) to generate or use a customer master key (CMK) for encryption. The developer can then copy the encrypted AMIs to the destination Region and delete the unencrypted AMIs.
The other options are not optimal or feasible for the following reasons:
B. Using AWS Key Management Service (AWS KMS) to enable encryption on the unencrypted AMIs will not work, as AWS KMS does not provide a direct way to encrypt existing AMIs. The developer will have to create new encrypted volumes from the unencrypted volumes and then create new encrypted AMIs from the encrypted volumes.
C. Using AWS Certificate Manager (ACM) to enable encryption on the unencrypted AMIs will not work, as ACM is a service that provides and manages public SSL/TLS certificates for web applications. ACM does not provide encryption for AMIs or volumes.
D. Copying the unencrypted AMIs to the destination Region and enabling encryption by default in the destination Region will not work, as encryption by default only applies to new volumes created from encrypted snapshots or new snapshots created from encrypted volumes. It does not apply to existing unencrypted volumes or snapshots.
The latest AWS Certified Developer – Associate DVA-C02 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Developer – Associate DVA-C02 exam and earn AWS Certified Developer – Associate DVA-C02 certification.
