Exam AWS Certified SysOps Administrator - Associate topic 1 question 70 discussion

The vendor is required to host the S3 bucket. It holds the company's data. The vendor wants to use a company-provided key to encrypt the data. So the company needs to create the new key and then provide access to that key from the IAM role which was provided by the vendor. (Answer: A) D - Can't be D as that would mean the company is hosting the data (not the vendor). D is hosting the data at the company and providing access to the data to the vendor.

Correct Answer: A Option A is correct because it specifies creating a new KMS key and explicitly adding the vendor's IAM role ARN to the key policy. This approach allows the vendor to use the KMS key for encryption while ensuring access control and security through the key policy. By providing the KMS key ARN to the vendor, they can use it to encrypt the data in the S3 bucket hosted in their account. Other Options: Option B creates an unnecessary IAM user and an inline policy, adding complexity without directly addressing KMS encryption needs. Option C suggests using the KMS-managed S3 key, which is controlled by AWS and does not provide the flexibility of adding external roles to the key policy. Option D configures encryption using the KMS-managed S3 key but adds the vendor's role to the S3 bucket policy rather than the KMS key policy, which would not grant the needed access to use the key for encryption.

By creating a new KMS key, the SysOps administrator is ensuring that the key used to encrypt the company's data is distinct and managed separately. The key policy is the primary resource-based policy that controls who can access and manage the key. By adding the vendor's IAM role ARN to the KMS key policy, the SysOps administrator is giving the vendor permissions to use the key, while keeping the control of the key. By providing the ARN of the new KMS key to the vendor, the vendor will be able to use that key to encrypt the company's data stored in the S3 bucket in the vendor's account.

The provided answer links to an outside practice question - But if you go to that link **THE QUESTION** is different. It's as if ExamTopics has the wrong answer assigned to this question or they've pasted the wrong question into it. As the question is written now, it's DEFINITELY *NOT* D. As others said - The S3 bucket needs to be in the vendor's account - So you would obviously not create one in YOUR account for this use.

You need to create a new KMS from the question

kms is in company's account. S3 is in vendor's account. Company must allow encrypt/decrypt vendor's IAM role in the KMS policy. Company should share KMS ARN of KMS. Managed S3 KMS cannot be shared, you cannot edit its policy

The vendor has to host the S3, not your own company

A is the right option from my point of view

I agree with Fedorian So the company needs to create the new key and then provide access to that key from the IAM role which was provided by the vendor

https://www.filecloud.com/supportdocs/fcdoc/latest/server/filecloud-administrator-guide/filecloud-site-setup/storage-settings/filecloud-managed-storage/s3-storage-encryption-with-aws-cross-account-kms-key

I vote for A. C. INCORRECT: You can't modify KMS managed S3 key policy. D. INCORRECT: Because the bucket is in the vendor's account not in the company's account. Moreover, bucket policy doesn't allow Role encrypt/decrypt data. You need to use KMS Key policy.

A. Create a new KMS key. Add the vendor's IAM role ARN to the KMS key policy. Provide the new KMS key ARN to the vendor.

Vote for A

Going for A

Ans: A

It's A guys.

Bucket is in vendor's account, encrypted using company's key. So the vendor will require permission to use key to access data.