ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 146 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 146
Topic #: 1
[All AWS Certified Security - Specialty Questions]

An Application team has requested a new AWS KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different AWS services to limit blast radius.
How can an AWS KMS customer master key (CMK) be constrained to work with only Amazon S3?

  • A. Configure the CMK key policy to allow only the Amazon S3 service to use the kms:Encrypt action.
  • B. Configure the CMK key policy to allow AWS KMS actions only when the kms:ViaService condition matches the Amazon S3 service name.
  • C. Configure the IAM user's policy to allow KMS to pass a role to Amazon S3.
  • D. Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by PeppaPig at Aug. 29, 2020, 12:47 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
PeppaPig
Highly Voted 3 years, 8 months ago
B is the correct answer
upvoted 21 times
...
sanc
Highly Voted 3 years, 8 months ago
B is correct, kms:ViaService is used to limit the use of key by service
upvoted 8 times
...
nnope
Most Recent 2 years, 6 months ago
Selected Answer: B
https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-via-service The kms:ViaService condition key limits use of an KMS key to requests from specified AWS services. You can specify one or more services in each kms:ViaService condition key. The operation must be a KMS key resource operation, that is, an operation that is authorized for a particular KMS key Amazon Simple Storage Service (Amazon S3) s3.AWS_region.amazonaws.com
upvoted 1 times
...
[Removed]
2 years, 6 months ago
B. Configure the CMK key policy to allow AWS KMS actions only when the kms:ViaService condition matches the Amazon S3 service name. To constrain an AWS KMS customer master key (CMK) to work only with Amazon S3, the CMK key policy can be configured to allow AWS KMS actions only when the kms:ViaService condition matches the Amazon S3 service name. This will ensure that the CMK can only be used by Amazon S3 to perform encrypt and decrypt operations, and cannot be used by other AWS services. Additionally, the CMK key policy can be configured to allow only the Amazon S3 service to use the kms:Encrypt action, which will further restrict the CMK to only be used for encrypting data with Amazon S3. This approach will help to limit the blast radius of the CMK, as it will only be able to be used with a single AWS service, and will not be able to be used by other services or IAM users. Other options, such as configuring an IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK, would not adequately constrain the CMK to only be used with Amazon S3.
upvoted 1 times
...
sapien45
2 years, 9 months ago
Selected Answer: B
You can specify conditions in the key policies and AWS Identity and Access Management policies (IAM policies) that control access to AWS KMS resources. The policy statement is effective only when the conditions are true. The kms:ViaService condition key limits use of an AWS KMS AWS KMS key (KMS key) to requests from specified AWS services. You can specify one or more services in each kms:ViaService condition key.
upvoted 1 times
...
dcasabona
2 years, 10 months ago
Selected Answer: B
Option B.
upvoted 1 times
...
kiev
3 years, 7 months ago
full house for B
upvoted 2 times
...
hp_1980
3 years, 7 months ago
B is correct !!
upvoted 3 times
...
refuz
3 years, 7 months ago
B is correct
upvoted 2 times
...
Daniel76
3 years, 7 months ago
Answer = B. Use kms:ViaService https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-via-service
upvoted 3 times
...
DanMuniz
3 years, 8 months ago
B no doubt about it
upvoted 3 times
...
deegadaze1
3 years, 8 months ago
B 100%
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel