exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam

Exam AWS Certified Security - Specialty topic 1 question 298 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 298
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company wants to establish separate AWS Key Management Service (AWS KMS) keys to use for different AWS services. The company's security engineer created the following key policy to allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructueDeployment IAM role:

The security engineer recently discovered that IAM roles other than the InfrastructureDeployment role used this key for other services.
Which change to the policy should the security engineer make to resolve these issues?

  • A. In the statement block that contains the Sid ג€Allow use of the keyג€, under the ג€Conditionג€ block, change StringEquals to StringLike.
  • B. In the policy document, remove the statement block that contains the Sid ג€Enable IAM User Permissionsג€. Add key management policies to the KMS policy.
  • C. In the statement block that contains the Sid ג€Allow use of the keyג€, under the ג€Conditionג€ block, change the kms:ViaService value to ec2.us-east- 1.amazonaws.com.
  • D. In the policy document, add a new statement block that grants the kms:Disable* permission to the security engineer's IAM role.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
D2
Highly Voted 2 years, 7 months ago
Selected Answer: B
Answer B First block of policy grants 'admin' permissions to users. IAM root indicates all users in the account. Refer below: A key policy document with a statement that allows access to the AWS account (root user) enables IAM policies in the account to allow access to the KMS key. This means that IAM users and roles in the account might have access to the KMS key even if they are not explicitly listed as principals in the key policy document. https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html
upvoted 9 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: B
Best of these options is B. Although logically the security engineer should sanitize the other IAM roles to stop them from using the key, instead of removing the default policy part.
upvoted 1 times
...
Noexperience
2 years ago
C is the answer SID: is a security identifier that is optional , it doesn't have any key role play.
upvoted 1 times
...
ude
2 years, 11 months ago
Selected Answer: B
B is the answer
upvoted 3 times
...
Skr81
3 years, 4 months ago
B. Key policy is the best place to control who can use the key, no IAM policy.
upvoted 1 times
...
AliS2020
3 years, 5 months ago
Did find the article but still no sure if we need to pick B as answer https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
upvoted 1 times
...
sam_live
3 years, 5 months ago
B can't be the answer. If the default key policy is removed then no other IAM principal will be able to access the key. KMS policy is different than other AWS resources. None of the options seem correct to me. possible that some parts of the question are missing.
upvoted 1 times
dcasabona
2 years, 11 months ago
I agree, it will lock users from access the key, but it seems to be the only possible answer.
upvoted 1 times
...
...
roger8978
3 years, 6 months ago
Only B makes sense. StringEquals and us-west-2 is okay to use in viaService.
upvoted 1 times
...
argol
3 years, 6 months ago
key management policy "B" is the answer
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...