Exam AWS Certified Security - Specialty topic 1 question 98 discussion

GUYS, PLEASE READ THIS Keyword is "Which of the following will allow the team to manage AWS KMS permissions in IAM" This is option B. If you specify the root user in a KMS key policy, it enables any IAM user/role in the account to access the key as long as they have attached IAM permissions that allow it. Thus, access is controlled with the IAM permissions. This is a super common use case, you do not want to be editing the key policy or creating grants all the time, it is much easier to control everything in IAM

i think it is B since when you create a CMK , it must have root principal to have full access to kms and allow the usage of IAM policies to provide access to everyone else in the account . However i am not sure .

https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html It's the first policy statement in the default key policy for KMS keys created in the AWS KMS console. { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "kms:*", "Resource": "*" } When the principal in a key policy statement is the account principal, the policy statement doesn't give any IAM principal permission to use the KMS key. Instead, it allows the account to use IAM policies to delegate the permissions specified in the policy statement. This default key policy statement allows the account to use IAM policies to delegate permission for all actions (kms:*) on the KMS key.

Key policies are the primary way to control access to CMKs in AWS KMS. Each CMK has a key policy attached to it that defines permissions on the use and management of the key. The default policy enables any principals you define, as well as enables the root user in the account to add IAM policies that reference the key. B

If you specify the root user in a KMS key policy, it enables any IAM user/role in the account to access the key as long as they have attached IAM permissions that allow it.

The answer is D. Newly created CMKs must mirror the IAM policy of the KMS key administrator. By default, AWS KMS uses key policies to manage access to CMKs. However, managing individual key policies for hundreds of CMKs can be complex and time-consuming. Instead, you can use IAM policies to manage access to CMKs by creating an IAM role that has permission to use KMS and attaching an IAM policy to that role. To simplify the process of managing access to CMKs, you can create an IAM policy that grants the necessary permissions to the IAM role, and then attach that policy to the KMS key administrator's IAM user or role. This way, all newly created CMKs will automatically inherit the same permissions as the KMS key administrator.

C is correct answer. Checked in chatgpt too.

without the complexity of editing individual key policies why you want to add extra burden on root user by selecting option B? There are two types of users, key administrators and key users. Key admins can do the task instead on root user.

I'm challenging this answer as D. Since managing of access does not require anyone to have ALL access. You only require the key administrator privileges. As supported by the official study guide pg. 227 "Key Administrators: IAM users or IAM roles that can manage the keys"

B is correct

B for me as well because root would simply be able to do every action and the rests would not have to do anything.

B 100%

I'd say B. The grant is insufficient.

With CreateGrant allowed, you have enough permission to control which user/role can encrypt/decrypt data (normally in application code) but not remove or rotate the CMKs. If you provide All action, that means there is a risk an application can remove an CMK that are used by other applications. C is my choice.

B is Correct

Looks like answer is C based on https://docs.aws.amazon.com/kms/latest/developerguide/control-access-overview.html You can control access to your KMS CMKs in these ways: Use the key policy – You must use the key policy to control access to a CMK. You can use the key policy alone to control access, which means the full scope of access to the CMK is defined in a single document (the key policy). Use IAM policies in combination with the key policy – You can use IAM policies in combination with the key policy to control access to a CMK. Controlling access this way enables you to manage all of the permissions for your IAM identities in IAM. Use grants in combination with the key policy – You can use grants in combination with the key policy to allow access to a CMK. Controlling access this way enables you to allow access to the CMK in the key policy, and to allow users to delegate their access to others.

Its D... Its really between B and D. However, if you think on it the root account like B already has master access like Jose said.