What is the function of the following AWS Key Management Service (KMS) key policy attached to a customer master key (CMK)?
A.
The Amazon WorkMail and Amazon SES services have delegated KMS encrypt and decrypt permissions to the ExampleUser principal in the 111122223333 account.
B.
The ExampleUser principal can transparently encrypt and decrypt email exchanges specifically between ExampleUser and AWS.
C.
The CMK is to be used for encrypting and decrypting only when the principal is ExampleUser and the request comes from WorkMail or SES in the specified region.
D.
The key policy allows WorkMail or SES to encrypt or decrypt on behalf of the user for any CMK in the account.
The questions indicated that KMS key policy is attached to a specific CMK.
All A, B does not mention CMK while D mention its for any CMK.
C correctly states that the policy is for the CMK which policy attached to.
https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
D is correct. The "behalf" word is the key point here: https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-via-service
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Daniel76
Highly Voted 3 years, 6 months agosanjaym
Highly Voted 3 years, 6 months agoCC_AK
Most Recent 1 year, 7 months agoCC_AK
1 year, 7 months agomatrpro
1 year, 12 months agojanvandermerwer
2 years, 5 months agoYouYouYou
3 years, 3 months agorefuz
3 years, 5 months agoAle_Ik
3 years, 6 months agoBad_Mat
3 years, 7 months ago