An error occurred (OperationNotPermitted) when calling the ModifySnapshotAttribute operation: Encrypted snapshots with EBS default key cannot be shared`Which combination of steps should the security engineer take in the incident account to complete the sharing operation?
(Choose three.)
Create a customer managed CMK. Copy the EBS snapshot encrypting the destination snapshot using the new CMK.
Allow forensics accounting principals to use the CMK by modifying its policy.
Create an Amazon EC2 instance. Attach the encrypted and suspicious EBS volume. Copy data from the suspicious volume to an unencrypted volume. Snapshot the unencrypted volume.
Copy the EBS snapshot to the new decrypted snapshot.
Restore a volume from the suspicious EBS snapshot. Create an unencrypted EBS volume of the same size.
Share the target EBS snapshot with the forensics account.
Explanations:
Creating a customer managed CMK and copying the snapshot with the new CMK solves the issue of sharing encrypted snapshots, as the default Amazon EBS key cannot be used for sharing. By copying the snapshot with a custom CMK, the snapshot is re-encrypted with a key that can be shared.
Modifying the key policy of the customer managed CMK allows the forensics account to use the CMK for decrypting and accessing the snapshot, which is required to share the snapshot with that account.
Sharing the snapshot with the forensics account is the final step after ensuring that the snapshot is encrypted with a CMK that can be shared and the forensics account has permission to use the key.
Creating an unencrypted volume from the encrypted snapshot and copying data to it would violate the requirement for encryption at all times and is unnecessary for solving the snapshot sharing issue.
Copying the snapshot to an unencrypted snapshot would make it unencrypted, which violates the requirement to keep volumes encrypted at all times. It does not resolve the issue of sharing encrypted snapshots.
Restoring a volume from the snapshot and creating an unencrypted EBS volume also violates the encryption requirement and is not a valid approach to sharing encrypted snapshots.