ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 267 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 267
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A user in account 111122223333 is receiving an access denied error message while calling the AWS Key Management Service (AWS KMS) GenerateDataKey
API operation. The key policy contains the following statement:

Account 111122223333 is not using AWS Organizations SCPs.
Which combination of steps should a security engineer take to ensure that KMSUser can perform the action on the key? (Choose two.)

  • A. Modify the key policy to include the key's key ID in the Resource field.
  • B. Verify that KMSUser has no explicit denies for the GenerateDataKey action in its attached IAM policies.
  • C. Verify that KMSUser is allowed to perform the GenerateDataKey action in its attached IAM policies for the encryption context.
  • D. Ensure that KMSUser is including the encryption context key-value pair in its GenerateDataKey.
  • E. Revoke any KMS grants on the key that are denying the GenerateDataKey action for KMSUser.
Show Suggested Answer Hide Answer
Suggested Answer: BD 🗳️
by dumma at Aug. 26, 2021, 2:47 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
raoconn
Highly Voted 3 years, 9 months ago
B&D B. Verify that KMSUser has no explicit denies for the GenerateDataKey action in its attached IAM policies. If the user already has the GenerateDataKey permission in IAM, and no explict deny, then he should have permission - check out the diagram https://docs.aws.amazon.com/kms/latest/developerguide/policy-evaluation.html D. Ensure that KMSUser is including the encryption context key-value pair in its GenerateDataKey. If you submit the encryption context value in the encryption operation, you are required to pass it in the corresponding decryption operation. You can use the encryption context inside your policies to enforce tighter controls for your encrypted resources. https://docs.aws.amazon.com/whitepapers/latest/kms-best-practices/encryption-context.html
upvoted 20 times
...
dumma
Highly Voted 3 years, 9 months ago
B and C
upvoted 5 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: BD
Correct answers are BD. Ensure there is no explicit deny (in the user IAM policy). Ensure user uses the encryption context key-value pair.
upvoted 1 times
...
lmimi
1 year, 7 months ago
I think B is valid if the key is in the same account as 111122223333. However it is not mentioned. If in different accounts, B is wrong and C is correct.
upvoted 1 times
...
TigerInTheCloud
3 years, 2 months ago
Selected Answer: BD
B and D C. There is "allow" in source policy, no "allow" is required on the principal side. Only need to make sure there is no explicit "Deny" somewhere else. If the VPC endpoint is involved, there is a need of checking if there is "allow" access through the endpoint policy.
upvoted 1 times
...
RaySmith
3 years, 4 months ago
B and D is correct
upvoted 2 times
...
YouYouYou
3 years, 5 months ago
Selected Answer: BD
B&D is correct
upvoted 1 times
...
yfwang
3 years, 6 months ago
Selected Answer: BD
B&D is my answer.
upvoted 2 times
...
yfwang
3 years, 6 months ago
B&D is my answer
upvoted 1 times
...
jtzt2003
3 years, 8 months ago
It is B & D. The Key Policy contains an encryption context condition, so that key pair needs to be applied using the --encryption-context [key=value] option
upvoted 4 times
...
hk436
3 years, 8 months ago
BD is my answer.!
upvoted 2 times
...
kiev
3 years, 9 months ago
BC as well for me. Check issues with I am policy to see there is no express denial or that authority exist to generate data key.
upvoted 3 times
boooliyooo
3 years, 7 months ago
C is redundant as the policy clearly states allow..
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel