Exam AWS Certified Security - Specialty topic 1 question 133 discussion

D seems corr

I believe D is wrong. But guys, I would go for D, the problem is the question. It's stating "EC2 Instance" and this should be IAM Role and option D is wrong IMHO because of this, this is NOT IAM user.

D The KMS default key policy (uppermost part of the policy) that delegates permissions to IAM identity policies, is missing.

A - > https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#sqs-what-permissions-for-sse

This has to be A

The best answer is D because the EC2 instance needs permissions to use the newly created key.

Not A, we are not speaking of encryption.

Option A, the kms:GenerateDataKey permission being missing from the EC2 instance's IAM role, would not cause the issue, as the kms:Decrypt action is allowed for all resources in the role.

The issue is caused by the fact that the KMS CMK key policy that enables IAM user permissions is missing. In order for the Amazon EC2 instance to have access to the AWS KMS CMK and be able to perform decrypt actions, the KMS CMK key policy must be configured to grant the necessary permissions to the EC2 instance's IAM role. In order to fix the issue, the Security team can update the KMS CMK key policy to grant the EC2 instance's IAM role the necessary permissions for decrypt actions. This will allow the EC2 instance to access the KMS CMK and perform decrypt actions as needed.

The key is 'Newly Created'. The key policy by default has the IAM user permissions. So D is wrong. GenerateDataKey permission is required to decrypt using the key. A is the right answer. If the key was not 'new' and someone changed the default key policy to remove the account root permission required to manage IAM permissions, then D may have been viable option.

key policy should allow root user in order for IAM policies to work

https://stackoverflow.com/questions/66543870/aws-kms-why-do-i-need-the-kmsdecrypt-permission-when-i-try-to-encrypt-data

Answer D - Unless the key policy explicitly allows it, you cannot use IAM policies to allow access to a KMS key. Without permission from the key policy, IAM policies that allow permissions have no effect.

That is right. you could use IAM policies (EC2 instances roles for example) only if KMS policies allow you to do so.

After some researchs go for D https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html

D is correct Although I want to see "IAM role" instead of "IAM user", but ok with it since "IAM user" is a legit principle A is not correct because GenerateDataKey is needed for envelope encryption. In this question, it is about using CMK, so data key is irrelevant

Every CMK must have exactly one key policy. The statements in the key policy document determine who has permission to use the CMK and how they can use it. Key users = IAM users + IAM Roles So D is correct.