Free AWS DOP-C02 Actual Exam Questions - Question 14 Discussion
uses AWS Backup in a primary account and uses an AWS Key Management Service (AWS KMS) key to
encrypt the backups.
The company needs to automate a cross-account backup of the resources that AWS Backup backs up
in the primary account. The company configures cross-account backup in the Organizations
management account. The company creates a new AWS account in the organization and configures
an AWS Backup backup vault in the new account. The company creates a KMS key in the new account
to encrypt the backups. Finally, the company configures a new backup plan in the primary account.
The destination for the new backup plan is the backup vault in the new account.
When the AWS Backup job in the primary account is invoked, the job creates backups in the primary
account. However, the backups are not copied to the new account's backup vault.
Which combination of steps must the company take so that backups can be copied to the new
account's backup vault? (Select TWO.)
Maybe A and E. The backup vault in the new account needs to trust the primary account, and the new account’s KMS key policy must allow the primary account’s AWS Backup service to use it for encryption.
Maybe try A and E. The backup vault in the new account definitely needs to allow the primary account access so it can store backups there, and since the new account’s KMS key encrypts those backups, its key policy must grant the primary account permission to use that key. Without that, the copy can’t happen. The other options seem off because the backup vault and KMS key in the primary account don’t control access for storing backups in the new account’s vault.
A/E? The backup vault in the new account definitely needs to allow the primary account access, so A makes sense. Also, since the backups are encrypted with the new account’s KMS key, that key’s policy must let AWS Backup from the primary account use it—so E fits. The policies on the primary account’s resources or keys don’t really come into play here since the copy goes into the new account’s vault and uses its key.
Maybe A and E. The vault in the new account needs to trust the primary account, and the new account’s KMS key policy must allow the primary account’s AWS Backup service to use it for encryption.
It’s A and E. The backup vault in the new account needs to explicitly allow the primary account, and the KMS key policy in the new account must let the primary account use that key for encrypting the backups.
It’s A and E. The vault in the new account needs to allow the primary account access, plus the new account’s KMS key policy must let the primary account use it for encryption. Without these, cross-account backups won’t work.
A/E for sure, vault needs access for primary account and new account's key must allow backup use.
A/E? The backup vault in the new account needs to allow the primary account access, and the KMS key in the new account must let the primary account use it to encrypt backups.
A and E imo, need vault access and KMS key shared from new to primary.