Q92 — AWS DVA-C02 Ch.2

Question 92 of 100 | ← Chapter 2

A developer wants to extend an application to run in multiple AWS Regions. The developer wants to replicate Amazon Machine Images (AMIs) containing the latest changes to create new application stacks in the target Region. Per company policy, all AMIs must be encrypted in all Regions. However, currently, none of the company’s AMIs are encrypted. How can the developer extend the application to the target Region while meeting the encryption requirement?

Correct Answer: A. Create new AMIs and specify encryption parameters during creation. Copy the encrypted AMIs to the target Region. Delete the unencrypted AMIs.

Explanation

Option A is the most compliant solution. Developers can create new AMIs with encryption enabled at creation time, copy those encrypted AMIs to the target Region, and delete unencrypted AMIs — ensuring all AMIs in the target Region are encrypted. Options B and C are invalid: AWS KMS manages encryption keys but cannot retroactively encrypt AMIs; ACM manages TLS certificates, not AMI encryption. Option D fails because enabling default encryption in a Region does not encrypt existing or copied unencrypted AMIs.