A company wants to share an encrypted Amazon RDS snapshot with another AWS account. The snapshot is encrypted using a customer managed AWS KMS key. Which TWO steps must the solutions architect take to share the snapshot? (Select TWO.)

Answer options:

Modify the KMS key policy to grant the target account permissions to use the key.

Modify the RDS snapshot to use an AWS managed KMS key.

Share the RDS snapshot with the target AWS account ID.

Create an IAM role in the source account for the target account to assume.

Copy the snapshot to an S3 bucket and share the bucket.

How to approach this question

When sharing encrypted resources across accounts, you must share BOTH the resource and the KMS key used to encrypt it.

Full Answer

Share the KMS key and share the snapshot.

To share an encrypted RDS snapshot, you must use a customer managed KMS key. You must share the snapshot itself with the target account AND update the KMS key policy to allow the target account to use the key.

Common mistakes

Thinking AWS managed keys can be shared across accounts.

Question 11 All questions Question 13

Practice the full AWS SAA-C03 Practice Exam 3

65 questions · hints · full answers · grading

More questions from this exam

Q01A company stores sensitive documents in an Amazon S3 bucket. The security team requires that only...Easy Q02A large enterprise uses AWS Organizations to manage multiple accounts. The security team wants to...Medium Q03A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (AL...Easy Q04A company wants to continuously monitor its AWS accounts for malicious activity and unauthorized ...Medium Q05A company needs to encrypt data at rest in Amazon RDS and manage database credentials securely. T...Medium

View all 65 questions →