Exam AWS Certified Security - Specialty topic 1 question 144 discussion

The API Keys are less than 2kb. So do we need to use DataKeys? I think based on that fact that no Envelope Encryption is needed, I would go with B.

C. This is the minimum permission required.

B. Less than 4kb, no need to generate data key

B Beside the fact that the key is just 2 KB, hence does not require "kms:GenerateDataKey" action, here's the list of required actions from AWS doc. Lambda uses your permissions to create a grant on the key. This allows Lambda to use it for encryption. kms:ListAliases – To view keys in the Lambda console. kms:CreateGrant, kms:Encrypt – To configure a customer managed key on a function. kms:Decrypt – To view and manage environment variables that are encrypted with a customer managed key.

B. I don't see a reason for "ReEncrypt" permission. Th question is clear about least privilege, so I think just encrypt and decrypt permission will do.

Answer is B. Use CMK that encrypts 4kb or less. Don't need GenerateDatakey command . Data keys are used to encrypt a large amount of data as customer master keys (CMKs) cannot encrypt data larger than 4KB

https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-encryption

I'm going with Option B, cause you could use Symmetric Keys for that. For more than 4 KB size, you could use the Data Keys (Envelop Encryption).

I went with B, it makes sense because its best for least privilege not sure why we should grant the user more privileges when its asking for encrypting an decrypting only.

C should be right. "Example Policy statement 3" https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html

Its C: you need GenerateDataKey which Returns a unique symmetric data key for use outside of AWS KMS. To encrypt data outside of AWS KMS: Use the GenerateDataKey operation to get a data key. Use the plaintext data key (in the Plaintext field of the response) to encrypt your data outside of AWS KMS. Then erase the plaintext data key from memory. Store the encrypted data key (in the CiphertextBlob field of the response) with the encrypted data. To decrypt data outside of AWS KMS: Use the Decrypt operation to decrypt the encrypted data key. The operation returns a plaintext copy of the data key. Use the plaintext data key to decrypt data outside of AWS KMS, then erase the plaintext data key from memory. https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html Its not D because: DisableKey Sets the state of a KMS key to disabled. DisableKeyRotation Disables automatic rotation of the key material of the specified symmetric encryption KMS key.

The same question is there in the security specialty course by Zeal Vohra

Answer: B The key to the question is found in the "less than 2kb" comment. Because the data always be smaller than the 4kb limit for encrypt and decrypt operations on KMS, there's no need to use a data encryption key. https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html "The maximum size of the data that you can encrypt varies with the type of CMK and the encryption algorithm that you choose. *Symmetric CMKs SYMMETRIC_DEFAULT: 4096 bytes"

I'm inclined with B... Since its less than 2 kb, which is less than 4 kb, I think it only needs encrypt and decrypt permissions, not permissions for generating a data key

The Lambda needs GenerateDataKey* So C.

Is less tan 4Kb so no need for Data Key (envelope encryption). Answer is B.

C - https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html "Principals that can assume this role are allowed to perform the actions listed in the policy statement, which are the cryptographic actions for encrypting and decrypting data with a CMK." { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:role/EncryptionApp"}, "Action": [ "kms:DescribeKey", "kms:GenerateDataKey*", "kms:Encrypt", "kms:ReEncrypt*", "kms:Decrypt" ], "Resource": "*" }