You create an EBS snapshot for an application in non-production AWS account A. The snapshot is encrypted by a customer-managed key (CMK-A). To deploy the same application in the production AWS account B, you need to create an AMI using the snapshot and launch an EC2 instance. The IAM admin user in account B is allowed to use CMK-A. However, the production EC2 instance has to use its own customer-managed key (CMK-B) to encrypt the EBS volume. Which solution is the best?

Answer options:

A.Copy the snapshot to another one and do not encrypt it. Share the new snapshot to account.
B.Created an encrypted version of the snapshot (w/ CMK-A) and then create an AMI using the encrypted snapshot. Launch an EC2 instance using the AMI and encrypt the EBS volume with CMK-B.C.Share the snapshot with account B and encrypt it with CMK-B. Create an AMI using the new snapshot and launch an EC2 instance.
D.Create an image in account B and change the encryption key to CMK-B. Launch an EC2 instance using the image.

Correct Answer – B
When sharing an Amazon EBS snapshot between accounts, there are cases that a new CMK has to be used. References can be found in https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html and https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-copy-snapshot.html.
Option A is incorrect: Because encrypted snapshots cannot be copied to non-encrypted ones.
Option B is CORRECT: Because when creating snapshots, the new snapshot can be encrypted with a new CMK. AWS CLI command copy-snapshot uses the option of --KMS-key-id to specify the CMK.
The steps to create a proper encrypted EC2/AMI in account B are:
1. Share the EBS snapshot with account B
2. The IAM admin user in account B, copy the EBS snapshot from A to B (since it is shared and we have access to CMK A that works just fine) using CMK
B.3. The IAM admin user in account B create EC2 AMI out from the copied EBS Snapshot.
Option C is incorrect: Because you need to create a copy of the snapshot, and you cannot just share the snapshot between Account "A" and Account "B".
Option D is incorrect: Because you need to share the snapshot between Account "A" and Account "B". Without sharing, you cannot create the image in Account "B".