How can the developer expand the application to run in the destination Region while meeting the encryption requirement?
Create new AMIs, and specify encryption parameters. Copy the encrypted AMIs to the destination Region. Delete the unencrypted AMIs.
Use AWS Key Management Service (AWS KMS) to enable encryption on the unencrypted AMIs. Copy the encrypted AMIs to the destination Region.
Use AWS Certificate Manager (ACM) to enable encryption on the unencrypted AMIs. Copy the encrypted AMIs to the destination Region.
Copy the unencrypted AMIs to the destination Region. Enable encryption by default in the destination Region.
Explanations:
This option meets the requirements by creating new AMIs with encryption parameters and copying them to the destination Region. It ensures that all AMIs are encrypted, as required by company policy. Deleting unencrypted AMIs helps in maintaining compliance.
AWS KMS does not enable encryption on existing unencrypted AMIs directly. AMIs must be created from the original instance with encryption settings, rather than modifying the AMI itself after it has been created.
AWS Certificate Manager (ACM) is used for managing SSL/TLS certificates and does not provide functionality for encrypting AMIs. Therefore, it cannot be used to enable encryption on unencrypted AMIs.
While copying unencrypted AMIs to the destination Region is possible, enabling encryption by default does not retroactively encrypt the AMIs. This means that the unencrypted AMIs would still exist, violating the company’s encryption requirement.
I believe the answer is:
Create new AMIs, and specify encryption parameters. Copy the encrypted AMIs to the destination Region. Delete the unencrypted AMIs.