Exam AWS Certified Security - Specialty topic 1 question 435 discussion

I go with C https://aws.amazon.com/premiumsupport/knowledge-center/lambda-execution-role-s3-bucket/?nc1=h_ls

GRANTS seems to be the best option https://docs.aws.amazon.com/kms/latest/developerguide/grants.html

Answer D A security engineer must ensure that each Lambda function has its own programmatic access control permissions to use the KMS key. https://docs.aws.amazon.com/lambda/latest/dg/security-iam.html https://docs.aws.amazon.com/kms/latest/developerguide/cmks-in-iam-policies.html

Selected Answer: C - Answerd by ChatGPT. By creating a separate Lambda execution role for each Lambda function, the security engineer can define granular access permissions for each function. The Lambda execution role can include the necessary permissions to use the KMS key, allowing the Lambda function to access the encrypted data in the S3 bucket. This approach ensures that each Lambda function has its own distinct set of permissions and provides isolation of access control for each function. On the other hand, Option B (creating a key grant for the Lambda service principal) would grant permissions directly to the Lambda service principal itself rather than to individual Lambda functions. This approach would not provide separate programmatic access control permissions for each Lambda function, as all functions would share the same permissions granted to the Lambda service principal. Therefore, Option C is the correct choice to ensure that each Lambda function has its own programmatic access control permissions to use the KMS key.

The correct answer is C, because: 1. Requirement "Each Lambda Function has ITS OWN programmatic access" points to C (C: specific access permissions for EACH lambda function); (B: grant for THE lambda principal) - Grants are often used for temporary permissions

https://docs.aws.amazon.com/workspaces-web/latest/adminguide/getting-started-iam-user-access-keys.html

Programatic access = Grant

Lambda execution role

Very difficult choice between B and C. The correct answer is C, because: - Requirement "each Lambda function has ITS OWN programmatic access" points to C (C: specific access permissions for EACH lambda function); (B: grant for THE lambda principal) - Grants are often used for temporary permissions

Lambda execution role is a service role

Programmatic access= Grants

B "However, the grantee principal cannot be a service principal" https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant-best-practices Breaking down C, it might be saying "that provides specific access permissions...for each Lambda function", I guess by listing each lambda ARN one by one in the role policy. If so then for me this meets the "ensure that each Lambda function has its own access" part of the requirement and seems the better choice.

Grant for programmatic access.

Grant for programmatic access

Every Lambda function has an IAM role called an execution role.

Why not B - Key Grants are used programmatic access control permissions to use the KMS key

C is more appropriate as D talks about AWS managed KMS key whereas questions states it's customer managed key