Exam AWS Certified Security - Specialty topic 1 question 90 discussion

Correct Answer: C "All CMKs must have a key policy. IAM policies are optional. To use an IAM policy to control access to a CMK, the key policy for the CMK must give the account permission to use IAM policies. Specifically, the key policy must include the policy statement that enables IAM policies." https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html "AWS KMS supports two resource-based access control mechanisms: key policies and grants. With grants you can programmatically delegate the use of KMS customer master keys (CMKs) to other AWS principals." https://docs.aws.amazon.com/kms/latest/developerguide/grants.html "A principal is a person or application that can make a request for an action or operation on an AWS resource" https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal

C, for sure. AWS KMS supports two resource-based access control mechanisms: Key policies and Grants. With grants you can programmatically delegate the use of KMS

Not D, cause grants on the KMS CMK is not to add or remove specific access controls on the key! Why would the application need to change access control on the key?! D is a better answer.

The answer cannot be C , as a KMS grant can only allow access to a KMS key, but not deny access. D Iis also

Answer is C B is >nearly true< But it writes "to use AWS CERTIFIED MANAGER CMK" (There is no such thing Since CMKs are attached to the KMS service) Answer C is corret since besides roles you can delegate rights to KMS keys especially well with Grants: Here is an example configuration of a KMS key policy that specifies Grant permissions: { Sid = "Allow attachment of persistent resources" Effect = "Allow" Principal = { AWS = "arn:aws:iam::234353542282:user/terrakid" } Action = [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ] Resource = "*" Condition = { StringEquals = { "kms:ViaService" = [ "ec2.eu-west-2.amazonaws.com", "rds.eu-west-2.amazonaws.com" ] } } }

Option A is not feasible because it would involve continually updating the KMS key policy, which would be operationally complex and error-prone. Option B is incorrect because AWS Certificate Manager (ACM) and KMS are different services and have different purposes. ACM is used for managing SSL/TLS certificates, not for managing permissions on a KMS CMK. Option C could potentially work, but using grants would be more complex than using IAM policies. Grants are typically used to delegate permissions to AWS principals that are not managed in your AWS account.

AWS recommends using grants for programmatic access control on CMK's. Therefore C is the best choice.

The RECOMMENDED method for PROGRAMMATIC acces is to use grants

Grants = Programmatic Access

C is the answer, it's said "programmatic access control permissions", this is only achieved with kms grants

A. It is a choice, but I think it is not as good as B. B. My choice, as the applications won the permission. C. Who create the grant? D. You cannot user different context for same data encryption, can you?

C - with grants you can permit every account their specific access

Unless the key policy explicitly allows it, you cannot use IAM policies to allow access to a KMS key.

Correct Answer is C (KMS Grant)

B is the correct answer here

A is correct as application needs to have its own programmatic access control permissions on the KMS CMK.

https://ystoneman.medium.com/aws-kms-key-policies-vs-grants-41212f83f88c Answer "C" it is