Exam AWS Certified Security - Specialty topic 1 question 17 discussion

Agreed C and E are correct https://www.1strategy.com/blog/2018/01/09/ec2-encrypted-ebs-and-iam-users/

Correct C and E! Need to add Action and Condition! "Action": "kms:CreateGrant", and "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } }

Correct answers are BC. As per AWS guide: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html << Permissions for users When you use a KMS key for EBS encryption, the KMS key policy allows any user with access to the required AWS KMS actions to use this KMS key to encrypt or decrypt EBS resources. You must grant users permission to call the following actions in order to use EBS encryption: kms:CreateGrant kms:Decrypt kms:DescribeKey kms:GenerateDataKeyWithoutPlainText kms:ReEncrypt >> Clearly, without the condition "GrantIsForAWSResource" it will work still (it just add a restriction, not mandatory for operation). But without "kms:Decrypt" action, it will not work.

C & E is correct

To allow an IAM user to start EC2 instances with encrypted EBS volumes without exposing the key to them, you can use the `kms:CreateGrant` permission in combination with the `kms:GrantIsForAWSResource` policy condition.

Looks like its CE https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html

By using the kms:CreateGrant permission, in combination with the kms:GrantIsForAWSResource policy condition, we can allow an IAM user to start EC2 instances with encrypted EBS volumes without exposing the key to them. This causes less headache on the IAM user’s end and still allows you to keep your keys secure. https://www.1strategy.com/blog/2018/01/09/ec2-encrypted-ebs-and-iam-users/

The following example key policy statement uses the kms:GrantIsForAWSResource condition key. It allows AWS services that are integrated with AWS KMS, such as Amazon EBS, to create grants on this KMS key on behalf of the specified principal. { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } } }

CE { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:CreateGrant" ], "Resource": [ "arn:aws:kms:<region>:<account #>:key/<key id>" ], "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } } } ] }

C &E are correct, and it is really hard question :( https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html The following example key policy statement uses the kms:GrantIsForAWSResource condition key. It allows AWS services that are integrated with AWS KMS, such as Amazon EBS, to create grants on this CMK on behalf of the specified user. { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/ExampleUser" }, "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } } }

Ans: CE 100%

C and E are correct.

A & C It is written in this AWS best practice "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "kms:GenerateDataKeyWithoutPlaintext", "kms:ReEncrypt*", "kms:CreateGrant" ], https://aws.amazon.com/blogs/compute/must-know-best-practices-for-amazon-ebs-encryption/

Ans > C,E https://www.1strategy.com/blog/2018/01/09/ec2-encrypted-ebs-and-iam-users/

Ans (C and E) https://www.1strategy.com/blog/2018/01/09/ec2-encrypted-ebs-and-iam-users/

Ans (C and E) https://www.1strategy.com/blog/2018/01/09/ec2-encrypted-ebs-and-iam-users/

C and E are correct. A - Incorrect, It's not required to create Datakey as it is already present on EBS. B - Incorrect, Technically this option is required too. When ec2 calls KMS for decryption the datakey. C - Correct, EBS sends a CreateGrant request to AWS KMS, so that it can decrypt the data key. D - Incorrect, over option E. Technically D and E both are correct but D works for us-west-2 region for ec2 only whereas E will allow for all region and all aws services inluding ec2. Here question didn't specify region. Thus we have to avoid region restriction. E - correct , see reason stated for D ref : https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-via-service https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-grant-is-for-aws-resource