New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon DOP-C02 Exam - Topic 4 Question 55 Discussion

Actual exam question for Amazon's DOP-C02 exam
Question #: 55
Topic #: 4
[All DOP-C02 Questions]

A company must encrypt all AMIs that the company shares across accounts. A DevOps engineer has access to a source account where an unencrypted custom AMI has been built. The DevOps engineer also has access to a target account where an Amazon EC2 Auto Scaling group will launch EC2 instances from the AMI. The DevOps engineer must share the AMI with the target account.

The company has created an AWS Key Management Service (AWS KMS) key in the source account.

Which additional steps should the DevOps engineer perform to meet the requirements? (Choose three.)

Show Suggested Answer Hide Answer
Suggested Answer: A, D, F

The Auto Scaling group service-linked role must have a specific grant in the source account in order to decrypt the encrypted AMI. This is because the service-linked role does not have permissions to assume the default IAM role in the source account.

The following steps are required to meet the requirements:

In the source account, copy the unencrypted AMI to an encrypted AMI. Specify the KMS key in the copy action.

In the source account, create a KMS grant that delegates permissions to the Auto Scaling group service-linked role in the target account.

In the source account, share the encrypted AMI with the target account.

In the target account, attach the KMS grant to the Auto Scaling group service-linked role.

The first three steps are the same as the steps that I described earlier. The fourth step is required to grant the Auto Scaling group service-linked role permissions to decrypt the AMI in the target account.


by Eden at Oct 28, 2025, 07:24 PM

Limited Time Offer

25%

Off

Get Premium DOP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Deonna
9 days ago
I feel like D is also important. We need to modify the key policy for proper permissions.
upvoted 0 times
...
Talia
14 days ago
C makes sense too. We need to ensure the Auto Scaling group can access the KMS key.
upvoted 0 times
...
Leana
19 days ago
Agreed! A is definitely the first step. But what about option C?
upvoted 0 times
...
Dominque
24 days ago
I think option A is crucial. We need to encrypt the AMI first.
upvoted 0 times
...
Josphine
30 days ago
B is not the right choice; you need to specify the KMS key, not the default EBS key.
upvoted 0 times
...
Lisbeth
1 month ago
I agree, sharing the encrypted AMI is the way to go!
upvoted 0 times
...
Emeline
1 month ago
Option D is a bit overkill, don't you think? Why go through all that trouble with the key policy and grants?
upvoted 0 times
...
Lorrie
2 months ago
Haha, I bet the DevOps engineer is sweating bullets trying to figure this out. Gotta love those encryption requirements!
upvoted 0 times
...
Whitney
2 months ago
I agree with Teresita. Option A is the way to do it.
upvoted 0 times
...
Teresita
2 months ago
Option A is the correct answer. Encrypting the AMI and specifying the KMS key is the way to go.
upvoted 0 times
...
Jacklyn
2 months ago
I’m a bit confused about the key policy changes. Do we need to modify it for the target account before or after we create the grant?
upvoted 0 times
...
Avery
2 months ago
I practiced a similar question where we had to share AMIs, and I feel like sharing the encrypted AMI is the right move here.
upvoted 0 times
...
Nada
2 months ago
I think we definitely need to create a KMS grant for the target account, but I can't recall if it should be done in the source or target account first.
upvoted 0 times
...
Glory
3 months ago
Wait, can you really share an unencrypted AMI? Seems risky!
upvoted 0 times
...
Gennie
3 months ago
Gotta copy the AMI and encrypt it with the KMS key!
upvoted 0 times
...
Skye
3 months ago
Definitely need to modify the key policy for the target account.
upvoted 0 times
...
Linette
3 months ago
I remember something about needing to copy the AMI to encrypt it, but I'm not sure if I should use the KMS key or the default EBS key.
upvoted 0 times
...
Beckie
4 months ago
Hmm, I'm not sure about B and E. Those don't seem to meet the requirement of encrypting the AMI before sharing it.
upvoted 0 times
...
Tawanna
4 months ago
Based on the question, I believe the right steps are A, C, and F. Copying the AMI to an encrypted version, creating a KMS grant in the source account, and then sharing the encrypted AMI.
upvoted 0 times
...
Carri
4 months ago
I'm a bit confused about the KMS key and grant permissions. Do I need to do something with those in both the source and target accounts?
upvoted 0 times
...
Earleen
4 months ago
Okay, I think I've got this. The key is to encrypt the AMI and share the encrypted version with the target account.
upvoted 0 times
...
Belen
4 months ago
Hmm, this looks like a tricky one. I'll need to carefully read through the requirements and think through the steps.
upvoted 0 times
Charisse
3 months ago
Right! We have to make sure the Auto Scaling group can access it too.
upvoted 0 times
...
...

Save Cancel