ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 178 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 178
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company plans to use custom AMIs to launch Amazon EC2 instances across multiple AWS accounts in a single Region to perform security monitoring and analytics tasks. The EC2 instances are launched in EC2 Auto Scaling groups. To increase the security of the solution, a Security Engineer will manage the lifecycle of the custom AMIs in a centralized account and will encrypt them with a centrally managed AWS KMS CMK. The Security Engineer configured the KMS key policy to allow cross-account access. However, the EC2 instances are still not being properly launched by the EC2 Auto Scaling groups.
Which combination of configuration steps should the Security Engineer take to ensure the EC2 Auto Scaling groups have been granted the proper permissions to execute tasks?

  • A. Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Create an IAM role in all applicable accounts and configure its access policy to allow the use of the centrally managed CMK for cryptographical operations. Configure EC2 Auto Scaling groups within each applicable account to use the created IAM role to launch EC2 instances.
  • B. Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Create an IAM role in all applicable accounts and configure its access policy with permissions to create grants for the centrally managed CMK. Use this IAM role to create a grant for the centrally managed CMK with permissions to perform cryptographical operations and with the EC2 Auto Scaling service-linked role defined as the grantee principal.
  • C. Create a customer-managed CMK or an AWS managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Use the CMK administrator to create a CMK grant that includes permissions to perform cryptographical operations that define EC2 Auto Scaling service-linked roles from all other accounts as the grantee principal.
  • D. Create a customer-managed CMK or an AWS managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Modify the access policy for the EC2 Auto Scaling roles to perform cryptographical operations against the centrally managed CMK.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Hungdv at May 2, 2021, 5:41 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
GVGREAT
Highly Voted 3 years, 9 months ago
Agree with B https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html#policy-example-cmk-cross-account-access
upvoted 15 times
...
Samoanhulk
Highly Voted 3 years, 8 months ago
B is correct
upvoted 5 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: B
https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html#policy-example-cmk-cross-account-access
upvoted 1 times
...
Raphaello
1 year, 4 months ago
Selected Answer: D
D is the correct answer. In the KMS key policy allow cryptographic actions plus "CreatGrant" for all accounts with Auto-Scaling to be used. In the accounts with Auto-Scaling to be used create an IAM role with permission to "CreateGrant" to the KMS key over in the KMS key account, allowing that role to grant cryptographic operations to Auto-Scaling service role.
upvoted 1 times
Raphaello
1 year, 4 months ago
B IS THE CORRECT ANSWER! The description there is for B, not D. My mistake.
upvoted 1 times
Raphaello
1 year, 4 months ago
Ref. https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html#policy-example-cmk-cross-account-access Again, B is the correct answer here.
upvoted 1 times
...
...
...
boooliyooo
2 years, 6 months ago
Selected Answer: B
Option A is incorrect because it does not specify that the IAM role in the applicable accounts should have permissions to create grants for the centrally managed CMK. Option C is incorrect because it does not specify which IAM role should be granted permissions to perform cryptographical operations against the centrally managed CMK. Option D is incorrect because it does not specify how the EC2 Auto Scaling roles should be granted permissions to perform cryptographical operations against the centrally managed CMK.
upvoted 1 times
...
sapien45
2 years, 10 months ago
Selected Answer: B
Change my mind after carefully reading this link : https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html KMS Account allows AutotoscalingGroup account to grant Then AutotoscalingGroup create a role with grant permissions Using that role, AutotoscalingGroup account user create a grant on the KMS key referincing the autoscaling group
upvoted 4 times
...
sapien45
2 years, 10 months ago
Selected Answer: D
One command line is better than 1000 tousands words aws kms create-grant \ --region us-west-2 \ --key-id arn:aws:kms:us-west-2:444455556666:key/1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d \ --grantee-principal arn:aws:iam::111122223333:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling \ --operations "Encrypt" "Decrypt" "ReEncryptFrom" "ReEncryptTo" "GenerateDataKey" "GenerateDataKeyWithoutPlaintext" "DescribeKey" "CreateGrant"
upvoted 1 times
...
Tesla_0011
3 years, 2 months ago
Selected Answer: B
B describes complete steps.
upvoted 1 times
...
Radhaghosh
3 years, 5 months ago
B. Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Create an IAM role in all applicable accounts and configure its access policy with permissions to create grants for the centrally managed CMK. Use this IAM role to create a grant for the centrally managed CMK with permissions to perform cryptographical operations and with the EC2 Auto Scaling service-linked role defined as the grantee principal.
upvoted 1 times
...
kiev
3 years, 8 months ago
B is very smooth
upvoted 4 times
...
Hungdv
3 years, 9 months ago
B is answer https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel