Which combination of steps should the security team take so that the automation can capture EC2 forensic evidence in all AWS accounts in the organization?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A company has an organization in AWS Organizations.The company’s security team is developing automation to capture Amazon EC2 forensic evidence within any AWS account in the organization.The company has encrypted the Amazon Elastic Block Store (Amazon EBS) volumes of all the EC2 instances in the organization by default by using the AWS managed key.The automation consists of AWS Lambda functions and AWS Step Functions state machines.The automation assumes an IAM role in the target AWS account.The automation takes snapshots of suspicious EC2 instances and assigns permissions to allow the security team’s account to copy the snapshots.The security team has an AWS Key Management Service (AWS KMS) key to encrypt the snapshots.During testing, the automation fails to copy the snapshots into the security team’s AWS account.

Which combination of steps should the security team take so that the automation can capture EC2 forensic evidence in all AWS accounts in the organization?

(Choose three.)

In the target AWS account, update the KMS key policy on the AWS managed key to explicitly allow the kms:Decrypt and kms:CreateGrant actions to the automation’s IAM role.

In the target AWS account, create a customer managed KMS key. Update the automation’s IAM role to allow the kms:Encrypt, kms:Decrypt, kms:GenerateDataKey*, and kms:CreateGrant actions.

In the security team’s AWS account, update the automation’s IAM role to allow the kms:Encrypt, kms:Decrypt, kms:GenerateDataKey*, and kms:CreateGrant actions for the AWS managed key.

In the security team’s AWS account, update the automation’s IAM role to allow the kms:Encrypt, kms:Decrypt, kms:GenerateDataKey*, and kms:CreateGrant actions for the customer managed KMS key.

In the security team’s AWS account, update the automation code to take EBS snapshots and to use the AWS managed key.

In the security team’s AWS account, update the automation code to take EBS snapshots and to use the customer managed KMS key.

Explanations:

The AWS managed KMS keys cannot have their key policies modified, as they are controlled by AWS. Therefore, updating the KMS key policy for the AWS managed key is not an option.

Creating a customer managed KMS key in the target account and updating the IAM role to allow necessary KMS actions ensures that the automation can encrypt and decrypt snapshots successfully. This allows for more granular control over key permissions.

The security team’s IAM role cannot manage permissions for AWS managed keys across accounts. Since the AWS managed key policy cannot be updated, this option would not resolve the issue.

Updating the automation’s IAM role in the security team’s AWS account to allow necessary actions for the customer managed KMS key will enable it to encrypt and decrypt the snapshots correctly when they are copied.

The AWS managed KMS key policy cannot be updated, and while the automation code could take EBS snapshots, it wouldn’t resolve the permissions issues since it can’t modify KMS actions for the managed key.

Updating the automation code to use a customer managed KMS key allows for greater control and proper permissions for encrypting snapshots in the security team’s account, ensuring that the snapshots can be copied successfully.

2025-10-08

1 Comment

  1. Mary
    Author

    If I had to guess, I’d say the answer is:
    In the target AWS account, create a customer managed KMS key. Update the automation’s IAM role to allow the kms:Encrypt, kms:Decrypt, kms:GenerateDataKey*, and kms:CreateGrant actions.

Leave a Reply

Your email address will not be published. Required fields are marked *

four × 2 =