Question 19: You have launched EC2 instances in private subnet. And volume attached to this EC2 instances needs to be encrypted. However, using KMS keys should not happen over the internet but should be done ..... Which of the following will help us in implementing this requirement correctly?
- Launch EC2 instances and enable the volume encryption. It will take care of accessing KMS service privately.
- Attach a policy to KMS which allows request from only specific Source IP by setting aws:SourceIp condition key to the range of IP addresses.
- Correct Answer
- You have to enable VPC peering between KMS VPC and EC2 instances VPC. And then set the aws:SourceVpce condition key in Key Policy document.