Your developer is using the KMS service and an assigned key in their Java program.
They get the below error when running the code. arn:aws:iam::113745388712:user/UserB is not authorized to perform: kms:DescribeKey Which of the following options could help resolve the issue? [Select TWO]
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: B and C.
Option A is incorrect because you do not need to assign roles to allow access to the application.
Options B is CORRECT because the authentication and access control of KMS API operations can be done using IAM Policies.
Option C is CORRECT because the authentication and access control of KMS API operations can be done using Key Policies.
Option D is incorrect because the permissions are not pertinent to the bucket policy.
In our scenario, we are receiving an error indicating that UserB has not been authorized to perform the "DescribeKey" action.
It is because that this permission is not defined in the Key or IAM Policy.
For more information on IAM & Key Policy, kindly refer to the below URLs:
https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.htmlThe error message suggests that the IAM user UserB does not have the necessary permissions to perform the "kms:DescribeKey" action on the key that is being used by the Java program. To resolve this issue, we need to ensure that UserB is granted the necessary permissions to access the key.
Option A and Option B are both correct answers as they both address the issue of granting UserB the necessary permissions to access the key.
Option A suggests that we should ensure that UserB is given the appropriate IAM role to access the key. This means that UserB needs to have a role that has the necessary permissions to perform the "kms:DescribeKey" action on the key. If UserB already has a role assigned, we need to ensure that the role has the appropriate permissions. If UserB does not have a role assigned, we need to create one and assign it to UserB.
Option B suggests that we should ensure that UserB is given the right permissions in the IAM policy. This means that we need to ensure that the IAM policy attached to UserB's IAM user account has the necessary permissions to perform the "kms:DescribeKey" action on the key. If the IAM policy already has the necessary permissions, we do not need to make any changes. If the IAM policy does not have the necessary permissions, we need to update it to include the required permissions.
Option C is incorrect because the Key policy controls the access to the KMS key and not the IAM user. Therefore, we cannot grant UserB access to the key by modifying the Key policy.
Option D is also incorrect because it refers to a Bucket policy, which is used to control access to S3 buckets, not KMS keys.
In summary, to resolve the issue, we need to ensure that UserB is granted the necessary permissions to access the KMS key. This can be achieved by assigning UserB the appropriate IAM role or updating the IAM policy attached to UserB's IAM user account.