ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 482 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 482
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A systems engineer must design and troubleshoot AWS services for a new project. The project deploys applications onto two Amazon EC2 instances that are named EC2A and EC2B. Both instances need to encrypt dozens of files by using an AWS Key Management Service (AWS KMS) customer managed key.

The key has the following key policy:



EC2RoleA is the role that EC2A uses. This role does not have any IAM policy that is related to AWS KMS. EC2RoleB is the role that EC2B uses. This role has the following IAM policy:



Both IAM roles are within the same AWS account that contains the customer managed key.

What will happen when EC2Aand EC2B attempt to use the customer managed key?

  • A. Both EC2A and EC2B can use the customer managed key properly for encryption.
  • B. Neither EC2A nor EC2B will be able to use the customer managed key for encryption.
  • C. EC2A cannot use the customer managed key for encryption. EC2B can use the customer managed key for encryption.
  • D. EC2A can use the customer managed key for encryption. EC2B cannot use the customer managed key for encryption.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by danielklein09 at June 8, 2023, 4:55 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
michele_scar
Highly Voted 1 year, 10 months ago
Selected Answer: B
EC2A doesn't has any KMS policy and without an explicit allow -> DENY EC2B has an expliciti DENY So, no one can use it.
upvoted 6 times
cherry23
1 year, 9 months ago
Iam policy is not must if key policy allow access
upvoted 2 times
...
michele_scar
1 year, 10 months ago
EC2A doesn't has any IAM KMS*
upvoted 1 times
...
Salah21
1 year, 5 months ago
I agree, for EC2A you need an IAM policy that allows the use of the key. The key policy alone is not enough
upvoted 1 times
...
M2ao
1 year, 5 months ago
But if it is a same account then does it still need IAM policy for EC2A as the key policy already explicit allow t
upvoted 1 times
...
...
6_8ftwin
Highly Voted 1 year, 10 months ago
Selected Answer: D
Use this flowchart: https://docs.aws.amazon.com/kms/latest/developerguide/policy-evaluation.html EC2B role is obvious: explicit IAM Policy deny = deny EC2A role: no applicable deny, no blocking SCP, no VPC endpoint deny, key policy explicitly allows and in same account = allow
upvoted 5 times
Green53
1 year, 10 months ago
Also reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html For most resources, you only need an explicit allow for the principal in either an identity-based policy or a resource-based policy to grant access. IAM role trust policies and KMS key policies are exceptions to this logic, because they must explicitly allow access for principals. I'd then review the example provided on: https://docs.aws.amazon.com/kms/latest/developerguide/customer-managed-policies.html#iam-policy-example-deny-disable-delete The following IAM policy prevents a user from disabling or deleting any KMS keys, even when another IAM policy or a key policy allows these permissions. A policy that explicitly denies permissions overrides all other policies, even those that explicitly allow the same permissions. Which suggests that IAM policy will overwrite KMS policy (when there is a deny).
upvoted 1 times
...
...
Arad
Most Recent 10 months, 2 weeks ago
Selected Answer: D
D is the correct answer.
upvoted 1 times
...
kret
1 year, 1 month ago
Selected Answer: B
Neither RoleA nor RoleB can access the key. "When the principal in a key policy statement is the account principal, the policy statement doesn't give any IAM principal permission to use the KMS key" -> https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-root-enable-iam
upvoted 1 times
...
yorkicurke
1 year, 3 months ago
Selected Answer: D
Since EC2A is a principal in the "same account" and there’s no explicit deny in the key policy for EC2A, it can use the customer managed key for encryption. On the other hand, EC2B has an explicit deny in its IAM policy for the “kms:Encrypt” action, which overrides the allow in the key policy, hence EC2B cannot use the key for encryption.
upvoted 1 times
...
Amy2009
1 year, 4 months ago
D is correct. IAM policy is not must if key policy allow access.
upvoted 1 times
...
AgboolaKun
1 year, 5 months ago
Selected Answer: B
That IAM policy is not specified for EC2A does not mean EC2A is implicitly permitted to use the key. What this means is implicit DENY like michele_scar explained. Therefore, the correct answer here is that both EC2 instances won't be able to use the key; one with explicit DENY and one with implicit DENY.
upvoted 1 times
...
Salah21
1 year, 5 months ago
Selected Answer: B
I agree with michele_scar's answer. IAM policies by themselves are not sufficient to allow access to a CMK. However, you can use them in combination with a CMK's key policy if the key policy enables it (i.e you'll need an IAM policy + a key policy that will allow you to use the key)
upvoted 1 times
...
kuber2023
1 year, 10 months ago
Selected Answer: D
EC2A role has an explicit allow in key policy, it should work.
upvoted 1 times
...
danielklein09
1 year, 10 months ago
Selected Answer: D
D - because EC2A doesn't have a policy that explicitly deny his acces
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago