A user has stored data on an encrypted EBS volume. The user wants to share the data with his friend’s AWS
account. How can user achieve this?
A.
Create an AMI from the volume and share the AMI
B.
Copy the data to an unencrypted volume and then share
C.
Take a snapshot and share the snapshot with a friend
D.
If both the accounts are using the same encryption key then the user can share the volume directly
Explanation:
AWS EBS supports encryption of the volume. It also supports creating volumes from existing snapshots
provided the snapshots are created from encrypted volumes. If the user is having data on an encrypted
volume and is trying to share it with others, he has to copy the data from the encrypted volume to a new
unencrypted volume. Only then can the user share it as an encrypted volume data. Otherwise the snapshot
cannot be shared.
The answer should be C.
“You can share an encrypted snapshot with specific AWS accounts, though you cannot make it public. For others to use the snapshot, you must also share the custom CMK key used to encrypt it. Cross-account permissions may be applied to a custom key either when it is created or at a later time. Users with access can copy your snapshot and create their own EBS volumes based on your snapshot while your original snapshot remains unaffected.”
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html
I agree with BigMike. THere is an exception to the Encrypted EBS volumes which is the encrypted key must be a custom CMK not the default CMK. If it is CustomCMK then it’s possible to share the snapshot with others or else it is not possible. So, if one wants to share the encrypted EBS volume make sure you have control over the encrypted CMK key such that others can use the key to restore the volume and create an EBS volume from the snapshot.
Makes sense, it should be C
C
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
…
Public snapshots of encrypted volumes are not supported, but you can share an encrypted snapshot with specific accounts if you take the following steps:
…
Answer is B.
AWS EBS supports encryption of the volume. It also supports creating volumes from
existing snapshots provided the snapshots are created from encrypted volumes. If the user is having data on an encrypted volume and is trying to share it with others, he has to copy the data from the encrypted volume to a new unencrypted volume. Only then can the user share it as an encrypted volume data. Otherwise the snapshot cannot be shared.
If you have access to a shared encrypted snapshot and you wish to restore a volume from it, you must create a personal copy of the snapshot and then use that copy to restore the volume. We recommend that you re-encrypt the snapshot during the copy process with a different key that you control. This protects your access to the volume if the original key is compromised, or if the owner revokes the key for any reason.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html
Answer B
b
I will go with B.
Here the question is not talking about to securely share the data, which needs to share CMK with other AWS user.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html
c
question is saying that it is sharing with another aws account.
The answer is C, the user is sharing the encrpyted snapshot with another AWS account, thus the CMK is needed. There is no stipulation about securely ,as sharing with another AWS account mandates he CMK is needed.
b
I would have selected C, if the option talks about CMK.
I will go with B
B is always a valid option while C is only applicable to CMK