exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam

Exam AWS Certified Security - Specialty topic 1 question 144 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 144
Topic #: 1
[All AWS Certified Security - Specialty Questions]

An Application Developer is using an AWS Lambda function that must use AWS KMS to perform encrypt and decrypt operations for API keys that are less than 2
KB.
Which key policy would allow the application to do this while granting least privilege?
A.

B.

C.

D.

Show Suggested Answer Hide Answer
Suggested Answer: C

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
AWS_Noob_007
Highly Voted 3 years, 9 months ago
The API Keys are less than 2kb. So do we need to use DataKeys? I think based on that fact that no Envelope Encryption is needed, I would go with B.
upvoted 32 times
AlexWong
3 years, 9 months ago
B. It will 4kb by Envelope Encryption.
upvoted 6 times
disposable1989
3 years, 9 months ago
https://docs.aws.amazon.com/kms/latest/developerguide/programming-encryption.html yeab B
upvoted 9 times
...
...
...
cldy
Highly Voted 3 years, 9 months ago
C. This is the minimum permission required.
upvoted 6 times
...
YR4591
Most Recent 1 year, 5 months ago
B. Less than 4kb, no need to generate data key
upvoted 1 times
...
Raphaello
1 year, 6 months ago
B Beside the fact that the key is just 2 KB, hence does not require "kms:GenerateDataKey" action, here's the list of required actions from AWS doc. Lambda uses your permissions to create a grant on the key. This allows Lambda to use it for encryption. kms:ListAliases – To view keys in the Lambda console. kms:CreateGrant, kms:Encrypt – To configure a customer managed key on a function. kms:Decrypt – To view and manage environment variables that are encrypted with a customer managed key.
upvoted 1 times
...
nairj
2 years, 3 months ago
B. I don't see a reason for "ReEncrypt" permission. Th question is clear about least privilege, so I think just encrypt and decrypt permission will do.
upvoted 1 times
...
Fyssy
2 years, 6 months ago
Answer is B. Use CMK that encrypts 4kb or less. Don't need GenerateDatakey command . Data keys are used to encrypt a large amount of data as customer master keys (CMKs) cannot encrypt data larger than 4KB
upvoted 4 times
...
tobedeleted
2 years, 7 months ago
https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-encryption
upvoted 1 times
...
tobedeleted
2 years, 7 months ago
I'm going with Option B, cause you could use Symmetric Keys for that. For more than 4 KB size, you could use the Data Keys (Envelop Encryption).
upvoted 2 times
...
arae
2 years, 8 months ago
I went with B, it makes sense because its best for least privilege not sure why we should grant the user more privileges when its asking for encrypting an decrypting only.
upvoted 3 times
...
cloud_collector
2 years, 9 months ago
C should be right. "Example Policy statement 3" https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html
upvoted 1 times
...
Root_Access
2 years, 10 months ago
Its C: you need GenerateDataKey which Returns a unique symmetric data key for use outside of AWS KMS. To encrypt data outside of AWS KMS: Use the GenerateDataKey operation to get a data key. Use the plaintext data key (in the Plaintext field of the response) to encrypt your data outside of AWS KMS. Then erase the plaintext data key from memory. Store the encrypted data key (in the CiphertextBlob field of the response) with the encrypted data. To decrypt data outside of AWS KMS: Use the Decrypt operation to decrypt the encrypted data key. The operation returns a plaintext copy of the data key. Use the plaintext data key to decrypt data outside of AWS KMS, then erase the plaintext data key from memory. https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html Its not D because: DisableKey Sets the state of a KMS key to disabled. DisableKeyRotation Disables automatic rotation of the key material of the specified symmetric encryption KMS key.
upvoted 2 times
...
Cloud9
3 years, 8 months ago
The same question is there in the security specialty course by Zeal Vohra
upvoted 1 times
...
EricR17
3 years, 8 months ago
Answer: B The key to the question is found in the "less than 2kb" comment. Because the data always be smaller than the 4kb limit for encrypt and decrypt operations on KMS, there's no need to use a data encryption key. https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html "The maximum size of the data that you can encrypt varies with the type of CMK and the encryption algorithm that you choose. *Symmetric CMKs SYMMETRIC_DEFAULT: 4096 bytes"
upvoted 4 times
...
skipbaylessfor3
3 years, 8 months ago
I'm inclined with B... Since its less than 2 kb, which is less than 4 kb, I think it only needs encrypt and decrypt permissions, not permissions for generating a data key
upvoted 5 times
...
rhinozD
3 years, 8 months ago
The Lambda needs GenerateDataKey* So C.
upvoted 1 times
AkaAka4
3 years, 7 months ago
Any reference please? Just wondering why Lambda must need GenerateDataKey...
upvoted 1 times
...
...
pmjcr
3 years, 8 months ago
Is less tan 4Kb so no need for Data Key (envelope encryption). Answer is B.
upvoted 4 times
...
Daniel76
3 years, 8 months ago
C - https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html "Principals that can assume this role are allowed to perform the actions listed in the policy statement, which are the cryptographic actions for encrypting and decrypting data with a CMK." { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:role/EncryptionApp"}, "Action": [ "kms:DescribeKey", "kms:GenerateDataKey*", "kms:Encrypt", "kms:ReEncrypt*", "kms:Decrypt" ], "Resource": "*" }
upvoted 3 times
Raphaello
1 year, 4 months ago
That reference does not support C is the only correct answer for this question though.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...