ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 475 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 475
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A security team is developing an automated solution that uses an AWS Lambda function to provision an Amazon EC2 instance. The solution will provision the EC2 instance with an IAM role that has the permissions necessary to make API calls to other AWS services in the same AWS account. The security team can create the AMI for this EC2 instance. The team encrypts the AMI by using an AWS Key Management Service (AWS KMS) customer managed key.

When the team invokes the Lambda function to launch the EC2 instance, the team receives an access denied error message from the Lambda function’s execution role. The team analyzes the Lambda function execution role for missing permissions.

What is the MOST likely cause of this error message?

  • A. The Lambda function’s execution role does not have kms:CreateGrant and kms:Decrypt KMS key permissions for the encrypted AMI.
  • B. The Lambda function's execution role does not have iam:PassRole permission for the requested IAM instance profile.
  • C. The company has reached the account's service quota for the EC2 instance type that the Lambda function is provisioning in the AWS Region.
  • D. The Lambda function’s execution role does not have Amazon CloudWatch read and write permissions for the configured CloudWatch agent on the EC2 instance.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by cloudenthusiast at June 2, 2023, 3:35 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
OCHT
Highly Voted 1 year, 10 months ago
Selected Answer: B
[Explanation] While it's true that the AWS Lambda function's execution role would need permission to use the KMS key to decrypt the AMI (via the kms:Decrypt permission), the kms:CreateGrant permission isn't usually necessary for launching an EC2 instance from an encrypted AMI. The kms:CreateGrant permission is used to delegate access to the KMS key to other principals, which isn't described as necessary in this scenario. The most likely reason for the access denied error, given the provided scenario, is that the execution role for the Lambda function does not have the iam:PassRole permission, which is needed to attach an IAM role to the EC2 instance that it's attempting to launch. [Correct option(s)] B. The Lambda function's execution role does not have iam:PassRole permission for the requested IAM instance profile.
upvoted 6 times
...
cloudenthusiast
Highly Voted 1 year, 10 months ago
Selected Answer: A
The access denied error message from the Lambda function's execution role is most likely caused by: A. The Lambda function’s execution role does not have kms:CreateGrant and kms:Decrypt KMS key permissions for the encrypted AMI. When launching an EC2 instance from an encrypted AMI using a customer managed key in AWS KMS, the Lambda function's execution role needs the kms:CreateGrant and kms:Decrypt permissions for the KMS key used to encrypt the AMI. These permissions allow the Lambda function to create a grant to decrypt the key and access the encrypted AMI during the provisioning process. Without these KMS permissions, the Lambda function's execution role will be denied access to the encrypted AMI, resulting in an access denied error.
upvoted 6 times
...
kret
Most Recent 1 year, 1 month ago
Selected Answer: B
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html iam:PassRole is needed in order to launch EC2 with a specific role attached
upvoted 1 times
...
Salah21
1 year, 5 months ago
Selected Answer: A
https://repost.aws/knowledge-center/kms-iam-ec2-permission
upvoted 1 times
...
Nuha_23
1 year, 8 months ago
Selected Answer: B
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/troubleshooting-launch.html#troubleshooting-launch-permissions
upvoted 1 times
...
francinetanzx
1 year, 10 months ago
Selected Answer: B
https://aws.amazon.com/blogs/security/granting-permission-to-launch-ec2-instances-with-iam-roles-passrole-permission/
upvoted 2 times
...
Green53
1 year, 10 months ago
Selected Answer: B
I found it difficult to find supporting material for both A and B. I found: https://repost.aws/knowledge-center/kms-launch-ec2-instance Which shows that both 'Decrypt' and 'CreateGrant' are required by the autoscaling service to attach encrypted volumes (but not for the AMI itself). I then found: https://medium.com/@ashish.kalani/permission-model-for-launching-ec2-instance-with-iam-profile-fd3f7340699e suggesting that Passrole is required. In the end, I thought about the security implications of allowing a Lamdba function to provision an EC2 instances that had an Administrator level role, and whether that should be controlled. I went with B, but both could be argued.
upvoted 1 times
...
kuber2023
1 year, 10 months ago
Selected Answer: B
Can't be A as kms:CreateGrant doesn't make any sense in this scenario.
upvoted 1 times
...
p4v10
1 year, 10 months ago
Selected Answer: A
A makes more sense to me
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago