Which solution meets these requirements?
Create an RDS for MySQL DB instance with an AWS Key Management Service (AWS KMS) customer managed CMK. Update the key policy to include the Amazon Resource Name (ARN) of the other AWS accounts as a principal, and then allow the kms:CreateGrant action.
Create an RDS for MySQL DB instance with an AWS managed CMK. Create a new key policy to include the Amazon Resource Name (ARN) of the other AWS accounts as a principal, and then allow the kms:CreateGrant action.
Create an RDS for MySQL DB instance with an AWS owned CMK. Create a new key policy to include the administrator user name of the other AWS accounts as a principal, and then allow the kms:CreateGrant action.
Create an RDS for MySQL DB instance with an AWS CloudHSM key. Update the key policy to include the Amazon Resource Name (ARN) of the other AWS accounts as a principal, and then allow the kms:CreateGrant action.
Explanations:
Using a customer-managed AWS KMS CMK allows the company to control the encryption key. By updating the key policy to include the ARNs of other AWS accounts as principals and allowing thekms:CreateGrantaction, the company can share RDS DB snapshots across multiple accounts while ensuring that the encryption policy is adhered to.
AWS managed CMKs cannot be used to share RDS snapshots across accounts. The key is owned and managed by AWS, so the necessary control for sharing snapshots across accounts and modifying the key policy is not possible.
AWS owned CMKs are designed for internal AWS use, and customers cannot modify the key policy to share the key across accounts. This option does not meet the requirements for sharing encrypted RDS snapshots.
AWS CloudHSM is a hardware security module (HSM) designed for more custom cryptographic use cases, not specifically for RDS. It does not integrate with Amazon RDS for MySQL for encryption, and the setup would be more complex than needed for this scenario.