SCS-C02 · Question #284
SCS-C02 Question #284: Real Exam Question with Answer & Explanation
The correct answer is A: Create a customer managed CMK. Note: The stated answer (A, B) appears incomplete - this is a "Select THREE" question, and option B (creating an EC2 instance) has no relevance to snapshot sharing. The technically correct three steps are almost certainly A, C (re-interpreted as copy-with-CMK), and E, based on st
Question
A company needs its Amazon Elastic Block Store (Amazon EBS) volumes to be encrypted at all times. During a security incident. EBS snapshots of suspicious instances are shared to a forensics account for analysis. A security engineer attempting to share a suspicious EBS snapshot to the forensics account receives the following error: "Unable to share snapshot: An error occurred (OperationNotPermitted) when calling the ModifySnapshotAttribute operation: Encrypted snapshots with EBS default key cannot be shared." Which combination of steps should the security engineer take in the incident account to complete the sharing operation? (Select THREE )
Options
- ACreate a customer managed CMK
- BCreate an Amazon EC2 instance
- CCopy the EBS snapshot to the new decrypted snapshot
- DRestore a volume from the suspicious EBS snapshot
- EShare the target EBS snapshot with the forensics account
Explanation
Note: The stated answer (A, B) appears incomplete - this is a "Select THREE" question, and option B (creating an EC2 instance) has no relevance to snapshot sharing. The technically correct three steps are almost certainly A, C (re-interpreted as copy-with-CMK), and E, based on standard AWS procedure.
AWS prohibits sharing EBS snapshots encrypted with the AWS-managed default key (aws/ebs) across accounts, which is exactly what the error message states. To work around this, you must: (A) create a customer managed CMK (CMK) that you control, then (C) copy the suspicious snapshot specifying that new CMK to re-encrypt it (the option's wording "decrypted" is misleading - the copy should remain encrypted, just under your CMK), and finally (E) share that re-encrypted snapshot with the forensics account, along with granting the forensics account access to the CMK.
Why the distractors are wrong:
- B (Create EC2 instance): Irrelevant - snapshot sharing is a control-plane operation requiring no running instance.
- D (Restore a volume): Unnecessary - you never need to mount the data to re-encrypt and share a snapshot.
- C as written ("decrypted snapshot"): Violates the company's "always encrypted" requirement, making this wording incorrect even if the underlying copy-snapshot step is needed.
Memory tip: Think of the default EBS key as a "house key you can't duplicate" - you must make your own copy of the lock (CMK), re-key the snapshot to it, then hand that key to the forensics team along with the snapshot.
Topics
Community Discussion
No community discussion yet for this question.