Question #1096
A company uses two AWS accounts: analytics (Account A) and backup (Account B). The company stores data in an Amazon S3 bucket in Account A, encrypted with an AWS KMS customer managed key. The data must be copied to an S3 bucket in Account B, encrypted using a KMS key from Account B that is accessible by Account A.
Which solution will meet these requirements?
Replicate the customer managed KMS key from Account A to Account B. Specify Account A in the key policy.
Create a new customer managed KMS key in Account B. Specify Account A in the key policy.
Create a new AWS managed KMS key for Amazon S3 in Account B. Specify Account A in the key policy.
Replicate the default AWS managed KMS key for Amazon S3 from Account A to Account B. Specify Account A in the key policy.
Explanation
Answer B is correct because:
1. Customer Managed Key in Account B: The destination bucket in Account B must use a KMS key from Account B. Creating a new customer managed key in Account B ensures the data is encrypted with a key owned by Account B.
2. Cross-Account Access via Key Policy: By specifying Account A in the key policy of Account B's KMS key, Account A gains permissions to use the key for encryption during the copy operation.
Why other options are incorrect:
- A: KMS keys cannot be 'replicated' across accounts. Cross-account access requires key policy modifications, not replication.
- C: AWS-managed KMS keys cannot have their policies modified, making cross-account access impossible.
- D: AWS-managed keys cannot be replicated or shared across accounts, and replication is not a valid KMS operation for cross-account scenarios.
Key Points:
- Use customer-managed keys for cross-account encryption.
- Modify the key policy of the destination account's KMS key to grant access to the source account.
- AWS-managed keys cannot be shared across accounts.
Answer
The correct answer is: B