A user in account 111122223333 is receiving an access denied error message while calling the AWS Key Management Service (AWS KMS) GenerateDataKey
API operation. The key policy contains the following statement:
Account 111122223333 is not using AWS Organizations SCPs.
Which combination of steps should a security engineer take to ensure that KMSUser can perform the action on the key? (Choose two.)
A. Modify the key policy to include the key's key ID in the Resource field.
B. Verify that KMSUser has no explicit denies for the GenerateDataKey action in its attached IAM policies.
C. Verify that KMSUser is allowed to perform the GenerateDataKey action in its attached IAM policies for the encryption context.
D. Ensure that KMSUser is including the encryption context key-value pair in its GenerateDataKey.
E. Revoke any KMS grants on the key that are denying the GenerateDataKey action for KMSUser.
Â
Suggested Answer: AC
Community Answer: BD
This question is in SCS-C01 AWS Certified Security – Specialty Exam
For getting AWS Certified Security – Specialty Certificate
Disclaimers:
The website is not related to, affiliated with, endorsed or authorized by Amazon.
Trademarks, certification & product names are used for reference only and belong to Amazon.
The website does not contain actual questions and answers from Amazon's Certification Exam.
