A company wants to establish separate AWS Key Management Service (AWS KMS) keys to use for different AWS services. The company's security engineer created the following key policy to allow the infrastructure deployment team to create encrypted Amazon Elastic Block Store (Amazon EBS) volumes by assuming the InfrastructueDeployment IAM role:
The security engineer recently discovered that IAM roles other than the InfrastructureDeployment role used this key for other services.
Which change to the policy should the security engineer make to resolve these issues?
A. In the statement block that contains the Sid ג€Allow use of the keyג€, under the ג€Conditionג€ block, change StringEquals to StringLike.
B. In the policy document, remove the statement block that contains the Sid ג€Enable IAM User Permissionsג€. Add key management policies to the KMS policy.
C. In the statement block that contains the Sid ג€Allow use of the keyג€, under the ג€Conditionג€ block, change the kms:ViaService value to ec2.us-east- 1.amazonaws.com.
D. In the policy document, add a new statement block that grants the kms:Disable* permission to the security engineer's IAM role.
Â
Suggested Answer: C
Community Answer: B
Reference -
https://docs.aws.amazon.com/kms/latest/developerguide/kms-dg.pdf
This question is in SCS-C01 AWS Certified Security – Specialty Exam
For getting AWS Certified Security – Specialty Certificate
Disclaimers:
The website is not related to, affiliated with, endorsed or authorized by Amazon.
Trademarks, certification & product names are used for reference only and belong to Amazon.
The website does not contain actual questions and answers from Amazon's Certification Exam.
