Exam AWS Certified Security - Specialty topic 1 question 310 discussion

Exam question from Amazon's AWS Certified Security - Specialty

Question #: 310
Topic #: 1

[All AWS Certified Security - Specialty Questions]

A security engineer needs to create an AWS Key Management Service (AWS KMS) key that will be used to encrypt all data stored in a company's Amazon S3 buckets in the us-west-1 Region. The key will use server-side encryption. Usage of the key must be limited to requests coming from Amazon S3 within the company's account.
Which statement in the KMS key policy will meet these requirements?
A.

B.

C.

D.

Show Suggested Answer

Suggested Answer: D

by argol at Jan. 5, 2022, 7:40 p.m.

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Submit Cancel

sam_live

Highly Voted 3 years, 5 months ago

A correct answer. https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-caller-account

upvoted 16 times

Tofu13

2 years, 1 month ago

updated link https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-caller-account

upvoted 2 times

...

Raphaello

Most Recent 1 year, 4 months ago

Correct answer is A. kms:ViaService kms:CallerAccount Will do the job!

upvoted 1 times

...

Raphaello

1 year, 4 months ago

A. A is the correct answer.

upvoted 1 times

...

c73bf38

2 years, 3 months ago

A:The policy grants permission to the AWS account root user to perform encryption, decryption, re-encryption, generate data keys, and describe the key operations on all KMS keys. The policy includes a condition that restricts access to requests coming from the same account and requests with an S3 source ARN that matches the account ID and us-west-1 Region.

upvoted 1 times

...