Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.
For DVA-C02 candidates, the confusion often lies in handling AMI encryption nuances when copying images across regions. In production, this is about knowing exactly how AWS supports encryption on AMI copying and the limitations around modifying encryption of existing AMIs. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
FinovaSoft, a fintech startup, is expanding its application deployment to multiple AWS Regions for lower latency and compliance. The lead developer needs to ensure all Amazon Machine Images (AMIs) used for application deployment are encrypted in every Region, per company security policies. Some existing AMIs in the primary Region are unencrypted, but the company cannot disrupt application uptime. The developer wants to copy the latest AMIs to the new Region and have them encrypted there to meet compliance.
The Requirement: #
How can the developer successfully expand to the new Region, ensuring all AMIs in use are encrypted without violating the existing AMI state or creating security gaps?
The Options #
- A) Create new AMIs in the primary Region with encryption enabled, copy those encrypted AMIs to the destination Region, and delete the unencrypted ones.
- B) Use AWS Key Management Service (AWS KMS) to enable encryption directly on the unencrypted AMIs, then copy the encrypted AMIs to the destination Region.
- C) Use AWS Certificate Manager (ACM) to enable encryption on the unencrypted AMIs, then copy the encrypted AMIs to the destination Region.
- D) Copy the unencrypted AMIs to the destination Region and enable encryption by default in the destination Region to encrypt them post-copy.
Google adsense #
leave a comment:
Correct Answer #
A
Quick Insight: The Developer Imperative #
The primary limitation is that you cannot enable encryption on an existing unencrypted AMI post-creation; you must create a new AMI with encryption enabled. Copying an unencrypted AMI does not automatically encrypt it in the destination Region. AWS Certificate Manager is unrelated to AMI encryption, and KMS keys encrypt but cannot “convert” unencrypted AMIs. Therefore, the secure and compliant approach is to create new encrypted AMIs first, then copy.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option A
The Winning Logic #
AWS does not support modifying encryption of an existing AMI that was created unencrypted. To comply with encryption mandates, the developer must create new AMIs specifying encryption—either during snapshot creation or via API/console options. Once encrypted AMIs exist, they can be copied to other Regions, maintaining encryption state. This approach ensures company compliance and security policies are upheld.
- Specifically for DVA-C02 candidates, the EC2 API call
CreateImageand snapshot encryption parameters come into play here. You can create a new encrypted AMI from an existing instance, which encrypts the associated snapshots. Copying encrypted AMIs preserves state without leaking unencrypted data.
The Trap (Distractor Analysis): #
-
Why not B?
KMS manages encryption keys but does not have a capability that magically “encrypts” already unencrypted AMIs. The AMI and its snapshots are immutable with respect to encryption settings once created. -
Why not C?
AWS Certificate Manager handles SSL/TLS certificates, not EBS or AMI encryption. -
Why not D?
Copying unencrypted AMIs to another Region does not trigger encryption by default, even if encryption-by-default is set on EBS volumes. The snapshot underlying the AMI remains unencrypted; therefore, compliance is not met.
The Technical Blueprint #
For Developers (Code/CLI Snippet):
# Step 1: Create an encrypted AMI from an instance
aws ec2 create-image \
--instance-id i-1234567890abcdef0 \
--name "MyEncryptedAMI" \
--block-device-mappings '[{"DeviceName":"/dev/xvda","Ebs":{"Encrypted":true,"KmsKeyId":"alias/aws/ebs"}}]'
# Step 2: Copy the encrypted AMI to another region
aws ec2 copy-image \
--source-region us-east-1 \
--source-image-id ami-12345678 \
--name "MyEncryptedAMI-copy" \
--region us-west-2
The Comparative Analysis #
| Option | API Complexity | Performance | Use Case |
|---|---|---|---|
| A | Medium | High (compliant & secure) | Proper creation + copy of encrypted AMIs |
| B | Low (misunderstood) | N/A | Misconception: KMS can’t encrypt existing AMIs |
| C | Low | N/A | Irrelevant service (ACM not for AMI encryption) |
| D | Low | Risk of non-compliance | Invalid: unencrypted AMIs copied as-is |
Real-World Application (Practitioner Insight) #
Exam Rule #
“For DVA-C02, when handling AMI encryption, always create a new encrypted AMI if your source AMI is unencrypted—do not rely on post-copy encryption.”
Real World #
“In live deployments, teams often automate AMI creation with encryption options embedded in CI/CD pipelines to ensure compliance and ease multi-Region expansion.”
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the DVA-C02 exam.