The Security Engineer created a new AWS Key Management Service (AWS KMS) key with the following key policy: What are the effects of the key policy? (Choose two.)
A.
The policy allows access for the AWS account 111122223333 to manage key access though IAM policies.
B.
The policy allows all IAM users in account 111122223333 to have full access to the KMS key.
C.
The policy allows the root user in account 111122223333 to have full access to the KMS key.
D.
The policy allows the KMS service-linked role in account 111122223333 to have full access to the KMS key.
E.
The policy allows all IAM roles in account 111122223333 to have full access to the KMS key.
ANSWER - A,C
Enables IAM policies to allow access to the CMK.
IAM policies by themselves are not sufficient to allow access to a CMK. However, you can use them in combination with a CMK's key policy if the key policy enables it. Giving the AWS account full access to the CMK does this; it enables you to use IAM policies to give IAM users and roles in the account access to the CMK. It does not by itself give any IAM users or roles access to the CMK, but it enables you to use IAM policies to do so. For more information, see Managing access to AWS KMS CMKs.
The following example shows the policy statement that allows access to the AWS account and thereby enables IAM policies.
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:root"},
"Action": "kms:*",
"Resource": "*"
}
Good explanation. To add a little more
- B is not correct because while all IAM users can be given access with IAM policy, they might not have any access at all if IAM doesn't allow it
- D this has nothing to do with service linked roles
- E ":root" does not apply to roles, it applies to IAM users and root user
Option A is for sure correct.
Cannot have B but not E, or E but not B. Any both of them missing "though IAM policies" part which is crucial.
That leaves C to join A!
A. The policy allows access for the AWS account 111122223333 to manage key access though IAM policies. - This is true. The root user of an AWS account has permissions to manage IAM policies for the account. By granting permissions to the root user, you effectively allow the AWS account to manage key access through IAM policies.
C. The policy allows the root user in account 111122223333 to have full access to the KMS key. - This is true based on the "Principal" definition in the policy.
A,C.
- It gives the AWS account that owns the KMS key full access to the KMS key.
- It allows the account to use IAM policies to allow access to the KMS key, in addition to the key policy.
- It reduces the risk of the key becoming unmanageable by giving access control permission to the account administrators, including the account root user, which cannot be deleted.
The principal in this key policy statement is the account principal, which is represented by an ARN in this format: arn:aws:iam::account-id:root. The account principal represents the AWS account and its administrators.
https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html
AC
See - https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html
"The key policy statement shown above gives the AWS account that owns the key permission to use IAM policies, as well as key policies, to allow all actions (kms:*) on the KMS key.
The principal in this key policy statement is the account principal, which is represented by an ARN in this format: arn:aws:iam::account-id:root. The account principal represents the AWS account and its administrators.
When the principal in a key policy statement is the account principal, the policy statement doesn't give any IAM principal permission to use the KMS key. Instead, it allows the account to use IAM policies to delegate the permissions specified in the policy statement. This default key policy statement allows the account to use IAM policies to delegate permission for all actions (kms:*) on the KMS key.
A and C.
B says that all IAM Users can access the key - this means no matter what IAM policies they have.
IAM Users(B) as well as Roles (D) are allowed to access the key when they have propper IAM policies. However, the root account (C) does not need any IAM policies in order to use the key.
https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html#:~:text=A%20key%20policy%20document%20with%20a%20statement%20that%20allows%20access%20to%20the%20AWS%20account%20enables%20IAM%20policies%20in%20the%20account%20to%20allow%20access%20to%20the%20KMS%20key
A key policy document with a statement that allows access to the AWS account enables IAM policies in the account to allow access to the KMS key. This means that users and roles in the account might have access to the KMS key even if they are not explicitly listed as principals in the key policy document.
AB is the answer not c reference the below link
https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html#:~:text=A%20key%20policy%20document%20with%20a%20statement%20that%20allows%20access%20to%20the%20AWS%20account%20enables%20IAM%20policies%20in%20the%20account%20to%20allow%20access%20to%20the%20KMS%20key
The policy allows the AWS account 111122223333 root user to have full access to the KMS key. Therefore, option C is the correct answer. Option A is partly correct, as it correctly identifies the AWS account with access to the KMS key but is incomplete in that it doesn't specify that the access is limited to the root user. Option B is incorrect because the policy specifies the Principal as the AWS account root user, not IAM users. Option D and E are also incorrect as they do not correspond to the policy's content.
I bet for A and B but very tricky indeed. Even E could be valid because it allows all "IAM identities" ti manage the access using IAM policies. User, groups, and roles are IAM identities.
This policy enables you to use IAM policies to give IAM users and roles in the account access to the CMK. So all IAM users and roles will have full access to the KMS key. AB
https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-root-enable-iam
The following default key policy statement is critical.
It gives the AWS account that owns the KMS key full access to the KMS key.
Unlike other AWS resource policies, an AWS KMS key policy does not automatically give permission to the account or any of its identities. To give permission to account administrators, the key policy must include an explicit statement that provides this permission, like this one.
It allows the account to use IAM policies to allow access to the KMS key, in addition to the key policy.
Without this permission, IAM policies that allow access to the key are ineffective, although IAM policies that deny access to the key are still effective.
It reduces the risk of the key becoming unmanageable by giving access control permission to the account administrators, including the account root user, which cannot be deleted.
kind of confusing terms, but as per the documentation
1. It gives the AWS account that owns the KMS key full access( not permission) to the KMS key
2. It allows the account to use IAM policies to allow access to the KMS key, in addition to the key policy.
regarding C
The principal in this key policy statement is the account principal, which is represented by an ARN in this format: arn:aws:iam::account-id:root. (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-accounts)
.... Using the account ARN in the Principal element does not limit permissions to only the root user of the account. (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-accounts)
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
joeboy
Highly Voted 3 years, 8 months agoAnilL
Highly Voted 3 years, 8 months agofreddyman
3 years, 7 months agoskillz2investor
2 years, 6 months agoRaphaello
Most Recent 1 year, 3 months ago[Removed]
1 year, 6 months agoCloudHandsOn
1 year, 8 months agoShenannigan
1 year, 9 months agoepomatti
1 year, 9 months agoliuyomz
1 year, 10 months agovherman
1 year, 11 months agovherman
1 year, 11 months agokaeled25
2 years agoTofu13
2 years agoXXX2021
2 years agoJoes87
2 years, 1 month agogagol14
2 years, 1 month agomatrpro
2 years, 1 month agoITGURU51
2 years agoITGURU51
2 years agoyd_h
2 years, 2 months agoyd_h
2 years, 2 months agoyd_h
2 years, 2 months agoHansD
2 years, 2 months ago