ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 432 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 432
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A developer has created an AWS Lambda function in a company’s development account. The Lambda function requires the use of an AWS Key Management Service (AWS KMS) customer managed key that exists in a security account that the company’s security team controls. The developer obtains the ARN of the KMS key from a previous Lambda function in the development account. The previous Lambda function had been working properly with the KMS key.

When the developer uses the ARN and tests the new Lambda function, an error message states that access is denied to the KMS key in the security account. The developer tests the previous Lambda function that uses the same KMS key and discovers that the previous Lambda function still can encrypt data as expected.

A security engineer must resolve the problem so that the new Lambda function in the development account can use the KMS key from the security account.

Which combination of steps should the security engineer take to meet these requirements? (Choose two.)

  • A. In the security account, configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.
  • B. In the development account, configure an IAM role for the new Lambda function. Attach a key policy that allows access to the KMS key in the security account.
  • C. In the development account, configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.
  • D. Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the security account.
  • E. Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the development account.
Show Suggested Answer Hide Answer
Suggested Answer: CE 🗳️
by Isaias at Nov. 24, 2022, 7:52 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Isaias
Highly Voted 2 years, 5 months ago
Selected Answer: CE
C Lambda Need a iam Role that have a iam policy to use kms services E The Iam Role need permision to use CMK , attach permision on de key policy
upvoted 7 times
...
Arad
Most Recent 11 months ago
Selected Answer: AE
AE is correct. Role must be created in security account where the KMS key reside, not development account.
upvoted 1 times
...
kejam
1 year, 5 months ago
Selected Answer: CE
https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html
upvoted 1 times
...
Green53
1 year, 10 months ago
Selected Answer: AE
Since this is a cross account request, and the KMS key resides in the security account, this is also where the IAM policy should reside. This page describes it well: https://docs.aws.amazon.com/step-functions/latest/dg/tutorial-access-cross-acct-resources.html It's related to step functions, but states: You specify the target IAM role the state machine must assume before invoking the cross-account Lambda function. Then, modify the trust policy in the target IAM role to allow the source account to assume the target role temporarily. Also, to call the AWS resource, define the appropriate permissions in the target IAM role. Finally, update the source account’s execution role to specify the required permission to assume the target role. So, dev (source) account Lambda assumes a role in production (target) account, which has an IAM policy providing access to KMS key.
upvoted 2 times
francinetanzx
1 year, 10 months ago
In this case, wouldn't option D be a better fit? Since according to option A, the IAM role for the function resides in the security account.
upvoted 1 times
...
...
Toptip
1 year, 11 months ago
Selected Answer: CE
C+E bingooo
upvoted 1 times
...
OCHT
1 year, 11 months ago
Selected Answer: AE
Although option E is correct, option C is not because it suggests to "configure an IAM role for the new Lambda function in the development account", which is incorrect. The IAM role for the Lambda function should be configured in the security account, where the KMS key resides. This is because permissions for resources should be configured where the resources reside.
upvoted 2 times
...
sam15
2 years, 2 months ago
C,E. The link below provides clarity of how cross account access should work with KMS: https://docs.aws.amazon.com/kms/latest/developerguide/policy-evaluation.html#example-cross-acct
upvoted 4 times
...
selim507
2 years, 3 months ago
Selected Answer: AD
since KMS Key is located in different account than dev account, we have to set up the permissions in security account first than assume the lambda role from dev account.
upvoted 2 times
...
Teknoklutz
2 years, 4 months ago
Selected Answer: CE
CE for sure
upvoted 3 times
...
amcloud
2 years, 4 months ago
Selected Answer: AE
Its AD - https://aws.amazon.com/es/premiumsupport/knowledge-center/lambda-function-assume-iam-role/ You have to set the permision in the cross-account. In the lambda acount the rol only need the assume role statement.
upvoted 3 times
...
D2
2 years, 5 months ago
CE correct
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago