exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam

Exam AWS Certified Security - Specialty topic 1 question 90 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 90
Topic #: 1
[All AWS Certified Security - Specialty Questions]

An organization has three applications running on AWS, each accessing the same data on Amazon S3. The data on Amazon S3 is server-side encrypted by using an AWS KMS Customer Master Key (CMK).
What is the recommended method to ensure that each application has its own programmatic access control permissions on the KMS CMK?

  • A. Change the key policy permissions associated with the KMS CMK for each application when it must access the data in Amazon S3.
  • B. Have each application assume an IAM role that provides permissions to use the AWS Certificate Manager CMK.
  • C. Have each application use a grant on the KMS CMK to add or remove specific access controls on the KMS CMK.
  • D. Have each application use an IAM policy in a user context to have specific access permissions on the KMS CMK.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
xenex
Highly Voted 3 years, 9 months ago
Correct Answer: C "All CMKs must have a key policy. IAM policies are optional. To use an IAM policy to control access to a CMK, the key policy for the CMK must give the account permission to use IAM policies. Specifically, the key policy must include the policy statement that enables IAM policies." https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html "AWS KMS supports two resource-based access control mechanisms: key policies and grants. With grants you can programmatically delegate the use of KMS customer master keys (CMKs) to other AWS principals." https://docs.aws.amazon.com/kms/latest/developerguide/grants.html "A principal is a person or application that can make a request for an action or operation on an AWS resource" https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal
upvoted 43 times
...
gfhbox0083
Highly Voted 3 years, 9 months ago
C, for sure. AWS KMS supports two resource-based access control mechanisms: Key policies and Grants. With grants you can programmatically delegate the use of KMS
upvoted 14 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: D
Not D, cause grants on the KMS CMK is not to add or remove specific access controls on the key! Why would the application need to change access control on the key?! D is a better answer.
upvoted 1 times
...
Ejobs123
1 year, 10 months ago
The answer cannot be C , as a KMS grant can only allow access to a KMS key, but not deny access. D Iis also
upvoted 1 times
...
Sickcnt
1 year, 11 months ago
Answer is C B is >nearly true< But it writes "to use AWS CERTIFIED MANAGER CMK" (There is no such thing Since CMKs are attached to the KMS service) Answer C is corret since besides roles you can delegate rights to KMS keys especially well with Grants: Here is an example configuration of a KMS key policy that specifies Grant permissions: { Sid = "Allow attachment of persistent resources" Effect = "Allow" Principal = { AWS = "arn:aws:iam::234353542282:user/terrakid" } Action = [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ] Resource = "*" Condition = { StringEquals = { "kms:ViaService" = [ "ec2.eu-west-2.amazonaws.com", "rds.eu-west-2.amazonaws.com" ] } } }
upvoted 1 times
Sickcnt
1 year, 11 months ago
Sorry the example was not entirely corret: This is a good example: { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": true #(This is exactly what we need to grant the resources themselves rights > So user clicks an API action on resource > and now the resource has rights to use/reach the KMS key to do encrytion/decryption with it) }, "StringEquals": { "kms:ViaService": [ "ec2.us-west-2.amazonaws.com", #So with this condition the "KMS Key" can only be used by the EC2 and RDS services "rds.us-west-2.amazonaws.com" ] } } }
upvoted 2 times
...
...
OCHT
2 years ago
Selected Answer: D
Option A is not feasible because it would involve continually updating the KMS key policy, which would be operationally complex and error-prone. Option B is incorrect because AWS Certificate Manager (ACM) and KMS are different services and have different purposes. ACM is used for managing SSL/TLS certificates, not for managing permissions on a KMS CMK. Option C could potentially work, but using grants would be more complex than using IAM policies. Grants are typically used to delegate permissions to AWS principals that are not managed in your AWS account.
upvoted 1 times
...
ITGURU51
2 years, 1 month ago
AWS recommends using grants for programmatic access control on CMK's. Therefore C is the best choice.
upvoted 1 times
...
sapien45
2 years, 10 months ago
Selected Answer: C
The RECOMMENDED method for PROGRAMMATIC acces is to use grants
upvoted 3 times
...
Jonfernz
3 years, 2 months ago
Selected Answer: C
Grants = Programmatic Access
upvoted 3 times
...
teo2157
3 years, 2 months ago
C is the answer, it's said "programmatic access control permissions", this is only achieved with kms grants
upvoted 1 times
...
TigerInTheCloud
3 years, 2 months ago
Selected Answer: B
A. It is a choice, but I think it is not as good as B. B. My choice, as the applications won the permission. C. Who create the grant? D. You cannot user different context for same data encryption, can you?
upvoted 1 times
...
ceros399
3 years, 3 months ago
Selected Answer: C
C - with grants you can permit every account their specific access
upvoted 2 times
...
DingjieDanielYang
3 years, 4 months ago
Selected Answer: C
Unless the key policy explicitly allows it, you cannot use IAM policies to allow access to a KMS key.
upvoted 1 times
...
Radhaghosh
3 years, 5 months ago
Correct Answer is C (KMS Grant)
upvoted 1 times
...
ggx
3 years, 5 months ago
Selected Answer: B
B is the correct answer here
upvoted 2 times
Radhaghosh
3 years, 5 months ago
What is the reason?
upvoted 1 times
...
...
dumma
3 years, 8 months ago
A is correct as application needs to have its own programmatic access control permissions on the KMS CMK.
upvoted 3 times
...
Jacques1650
3 years, 8 months ago
https://ystoneman.medium.com/aws-kms-key-policies-vs-grants-41212f83f88c Answer "C" it is
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...