Exam AWS Certified Security - Specialty topic 1 question 106 discussion

A ssm (System Manager) has nothing to do with the question B is irrelevant. Lambdas run on their own VPC C is correc.t D is incorrect. Irrelevant. Trusted entity is the entity allowed to assume a IAM role. It is the principal of the role

Trying to bring my contribution to this topic As per this link this is how you create an IAM policy to access AWS KMS { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:Decrypt", ], "Resource": "arn:aws-cn:kms:<region>:<123456789012>:key/<key-ID>" } ] } Then you can save your policy and assign it to the IAM role you will create after that for the lambda function https://docs.amazonaws.cn/en_us/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.Authorizing.IAM.KMSCreatePolicy.html So answer C makes sense to me too Merry xmas ;)

Lambda execution role needs to have permission to use KMS key (kms:Decrypt). Correct answer is C

The correct answer is C because the Lambda function needs the decrypt permission to perform the task.

It is a testable scenario. Answer is C.

When Secrets Manager uses a KMS key in cryptographic operations, it acts on behalf of the user who is accessing or updating the secret value

C is correct

C is the correct answer from other sites as well.

The answer A is not correct but the attached link below answer is correct. https://aws.amazon.com/blogs/compute/sharing-secrets-with-aws-lambda-using-aws-systems-manager-parameter-store/ The link guide that Lambda policy need to allow access key, not related to SSM.

C I say is correct here. The Lambda execution role needs getparameter and decrypt. SSM itself is not the principal. Right?

2 ways to fix this: - Add a policy to allow the Lambda function's execution role to Decrypt the CMK (Option C) - Add Lambda's function's execution role to the "key users"

This is another tricky one. Here is how we should think about it. Firstly, it is easy to dismiss B and D. B is complete BS, and D is not so much, as whatever D states must be true for the Lambda to even run. As the question states that the Lambda ran, so D can be dismissed. Left with A and C. Here is the fundamental knowledge needed: If a compute actor is trying to retrieve an encrypted key from SSM, does that Compute actor need the permission to access (specifically decrypt) the CMK, or does SSM need it? Answer is: the compute actor. KMS key policy provide does provide an alternative to this, which is the "ViaService" condition. But if we are using ViaService, then ssm.amazonaws.com will be specified not as the Principal, but as the ViaService. Hence, the correct answer is C, not A.

In AWS Identity and Access Management (IAM), you can grant or deny a service access to resources using the Principal policy element. The Principal policy element value for Systems Manager is ssm.amazonaws.com.

Ans > C

Ans (A) https://aws.amazon.com/blogs/compute/sharing-secrets-with-aws-lambda-using-aws-systems-manager-parameter-store/

Dano is Kimo..

Ans is C, clearly mentioned here https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html