Q92 — AWS DVA-C02 Ch.2
Question 92 of 100 | ← Chapter 2
A developer wants to extend an application to run in multiple AWS Regions. The developer wants to replicate Amazon Machine Images (AMIs) containing the latest changes to create new application stacks in the target Region. Per company policy, all AMIs must be encrypted in all Regions. However, currently, none of the company’s AMIs are encrypted. How can the developer extend the application to the target Region while meeting the encryption requirement?
- A. Create new AMIs and specify encryption parameters during creation. Copy the encrypted AMIs to the target Region. Delete the unencrypted AMIs. ✓
- B. Enable encryption for unencrypted AMIs using AWS Key Management Service (AWS KMS). Copy the encrypted AMIs to the target Region.
- C. Enable encryption for unencrypted AMIs using AWS Certificate Manager (ACM). Copy the encrypted AMIs to the target Region.
- D. Copy unencrypted AMIs to the target Region. Enable default encryption in the target Region.
Correct Answer: A. Create new AMIs and specify encryption parameters during creation. Copy the encrypted AMIs to the target Region. Delete the unencrypted AMIs.
Explanation
Option A is the most compliant solution. Developers can create new AMIs with encryption enabled at creation time, copy those encrypted AMIs to the target Region, and delete unencrypted AMIs — ensuring all AMIs in the target Region are encrypted. Options B and C are invalid: AWS KMS manages encryption keys but cannot retroactively encrypt AMIs; ACM manages TLS certificates, not AMI encryption. Option D fails because enabling default encryption in a Region does not encrypt existing or copied unencrypted AMIs.