A company uses AWS KMS to encrypt EBS volumes. The security team wants to ensure that EBS snapshots are shared with another account without exposing the underlying data. What is the correct approach?
Target account can then create encrypted volumes from the snapshot.
Why this answer
Option D is correct because sharing an encrypted EBS snapshot requires the KMS key policy to grant the target account permission to use the key (via kms:Decrypt and kms:CreateGrant). Without this, the target account cannot decrypt the snapshot to create volumes or copies. AWS KMS enforces that the key policy explicitly allows cross-account access, and the target account must have the corresponding IAM permissions.
Exam trap
The trap here is that candidates often confuse sharing the KMS key itself (which is impossible) with updating the key policy to grant cross-account usage, leading them to select Option C.
How to eliminate wrong answers
Option A is wrong because sharing an encrypted snapshot without modifying the KMS key policy denies the target account the ability to decrypt the snapshot, making it unusable. Option B is wrong because creating an unencrypted copy of an encrypted snapshot would expose the underlying data in plaintext, violating the security requirement. Option C is wrong because sharing the KMS key with the target account is not a supported operation; KMS keys cannot be shared or transferred; instead, you must update the key policy to grant cross-account usage permissions.