Exam AWS Certified Security - Specialty topic 1 question 308 discussion

You need the Grant Token (not a random generated) Answer is D

D is actually what makes sense out of all options.

eliminating B & C: --> The grant token is generated by AWS KMS as a response to the CreateGrant operation. A: It will cause unnecessary delays and still does not address the root cause of the issue. you can not expect user to retry every 2 min and hope for it to succeed. That could turn into infinite loop.

D - is correct Grant Token should be used this case

D. The grant token returned in the CreateGrant response should be used by the users in their call to encrypt. This will ensure that the grant token is valid and can be used to encrypt the payload.

as per the doc (https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html#create-grant and https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/kms.html#KMS.Client.create_grant) CreateGrant returns a grant token.

Answer A The grantee principal can use the permissions that the grant gives them without specifying the grant, just as they would if the permissions came from a key policy or IAM policy. However, when you create, retire, or revoke a grant, there might be a brief delay, usually less than five minutes, until the operation achieves eventual consistency. To use the permissions in a grant immediately, use a grant token. https://docs.aws.amazon.com/kms/latest/developerguide/grants.html

To use the permissions in a new grant immediately, use the grant token for the grant. Save the grant token that the CreateGrant operation returns. Then submit the grant token in the request for the AWS KMS operation. D

it's D

D is the good answer

When you apply a grant, the effect is not immediate. It takes time for all of KMS to learn it. So if you want the grant to work immediately, you need to use the CreateGrant operation and use the grant token that it returns. You can use this token to GenerateDataKey and Decrypt. # Create a grant; save the grant token token=$(aws kms create-grant \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ --grantee-principal arn:aws:iam::111122223333:user/appUser \ --retiring-principal arn:aws:iam::111122223333:user/acctAdmin \ --operations GenerateDataKey Decrypt \ --query GrantToken \ --output text) # Use the grant token in a request aws kms generate-data-key \ --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ –-key-spec AES_256 \ --grant-tokens $token

D refer: https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token

A - When you create a grant, the grant might not be effective immediately. There's likely to be a brief interval, less than five minutes, until the grant achieves eventual consistency, that is, before the new grant is available throughout AWS KMS. https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token B - Grantor does not need information from grantee C - Token not name is used D - That is the action which run into issue.

https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token D is the answer

To use the permissions in a new grant immediately, use the grant token for the grant. Save the grant token that the CreateGrant operation returns. Then submit the grant token in the request for the AWS KMS operation. You can submit a grant token to any AWS KMS grant operation and you can submit multiple grant tokens in the same request.

D - CreateGrant is the only operation that returns a grant token. You cannot get a grant token from any other AWS KMS operation

D......pass the grant token returned in the CreateGrant response to users