Free AWS DVA-C02 Actual Exam Questions - Question 8 Discussion
copy Amazon Machine Images (AMIs) with the latest changes and create a new application stack in
the destination Region. According to company requirements, all AMIs must be encrypted in all
Regions. However, not all the AMIs that the company uses are encrypted.
How can the developer expand the application to run in the destination Region while meeting the
encryption requirement?
It’s A for sure. You can’t just flip encryption on an existing AMI or snapshot, so creating a new encrypted AMI and then copying is the only way to meet the encryption rule across regions.
Maybe D is out since you can’t just copy unencrypted AMIs and then magically turn on encryption by default in the new region. I think B and C are off too because KMS manages keys but doesn’t directly enable encryption on existing AMIs, and ACM is for certificates, not AMI encryption. So yeah, A feels right—you create new AMIs with encryption enabled first, then copy them over. That way all AMIs are encrypted before they’re used anywhere.
A/D? Creating new encrypted AMIs (A) ensures compliance, but copying unencrypted AMIs then encrypting afterward (D) isn’t possible since AMI encryption can’t be added post-copy. So A makes more sense here.
A looks right since you can create encrypted AMIs and copy them securely.