Question #1796
A company uses AWS Organizations with a central security OU and a production OU. The security OU needs to share encrypted AMIs, created using AWS KMS, with the production OU. Which two steps are required to enable the production OU to launch instances from these AMIs?
Add the production OU's ARN to the AMI's launch permissions.
Add the Organizations root ARN to the AMI's launch permissions.
Update the KMS key policy to allow the production OU to use the key.
Add each production account's ARN to the AMI's launch permissions.
Recreate the KMS key with a policy allowing the Organizations root ARN.
Explanation
The correct answers are A and C.
- A: AMI launch permissions must include the production OU's ARN to allow accounts in that OU to launch instances from the AMI. AWS enables sharing with entire OUs using their ARN, avoiding per-account updates (eliminating D).
- C: The KMS key policy must grant the production OU permissions to use the key for decryption, as encrypted AMIs require access to the KMS key. Updating the existing key policy (C) is sufficient; recreating the key (E) is unnecessary.
Why others are incorrect:
- B: Using the Organizations root ARN is unnecessary; granular OU-level sharing is preferred.
- D: Adding individual account ARNs is inefficient when OU-level sharing is possible.
- E: Recreating the key isn't required; modifying the policy of the existing key suffices.
Key Points:
1. Sharing AMIs requires updating launch permissions with the target OU's ARN.
2. Encrypted AMIs require KMS key policies to grant access to the target OU.
Answer
The correct answer is: AC