Q60 — AWS SOA-C02 Ch.1
Question 60 of 100 | ← Chapter 1
A SysOps administrator has an AWS CloudFormation template that is used to deploy an encrypted Amazon Machine Image (AMI). The CloudFormation template will be used in a second account, so the SysOps administrator copies the encrypted AMI to the second account. When launching the new CloudFormation stack in the second account, it fails. Which action should the SysOps administrator take to correct the issue?
- A. Change the AMI permissions to mark the AMI as public.
- B. Deregister the AMI in the source account.
- C. Re-encrypt the destination AMI with an AWS Key Management Service (AWS KMS) key from the destination account.
- D. Update the CloudFormation template with the ID of the AMI in the destination account. ✓
Correct Answer: D. Update the CloudFormation template with the ID of the AMI in the destination account.
Explanation
AWS CloudFormation部署加密AMI到第二个账户时,需确保模板中的AMI ID与目标账户中复制的AMI匹配。Amazon Machine Image跨账户共享涉及权限设置及加密密钥配置,但成功复制AMI后,目标账户的CloudFormation模板必须使用该账户内有效的AMI ID才能正确引用资源。选项D指出必须更新模板中的AMI ID,符合AWS关于跨账户AMI使用的指导:复制后的AMI在目标账户具有唯一标识,需在部署时显式指定。选项A公开AMI存在安全隐患;选项B注销源AMI不影响目标账户资源;选项C涉及重新加密,但前提是目标账户已配置正确的KMS密钥策略,题目未提及密钥问题。