Secure Implementation of Customer-Managed Keys (CMK) for AWS Services | SCS-C01 Exam Answer

Protecting TestCMK and Enabling Secure Usage by EC2 and RDS in us-west-2 | SCS-C01 Exam Answer

Question

In your organization, a customer-managed key named TestCMK has been created for a new project.

This key is supposed to be used only by related AWS services in this project including EC2 and RDS in region us-west-2

For security concerns, you need to make sure that no other services can encrypt or decrypt using this particular CMK.

In the meantime, EC2 and RDS should use the key without issues.

How should you implement this?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: C.

Option A is incorrect because this solution cannot ensure that only EC2 or RDS can use this CMK.

Option B is incorrect because other services may be able to use the CMK if the role is being attached.

Option C is CORRECT Because kms:ViaService is the correct key condition to filter that only EC2 and RDS can use the CMK.

For example, the below condition can be added to the key policy:

"Condition": {

"ForAnyValue:StringEquals": {

"kms:ViaService": [

"ec2.us-west-2.amazonaws.com",

"rds.us-west-2.amazonaws.com"

]

}

}

Option D is incorrect because kms: ValidTo is a condition to determine when the imported key material expires.

It would not work for the current scenario.

For more details on AWS KMS CMK, kindly refer to the URL below:

https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html.

The correct answer is C - Configure a key policy for this CMK. Use kms:ViaService to check if the request comes from ec2.us-west-2.amazonaws.com or rds.us-west-2.amazonaws.com.

Explanation: AWS Key Management Service (KMS) provides an option to create customer-managed keys (CMKs) that can be used for encryption and decryption of data in AWS. To restrict the use of a CMK to specific services and regions, a Key Policy can be applied. In this scenario, we need to restrict the TestCMK key to be used only by EC2 and RDS in the us-west-2 region.

Option A is incorrect because attaching an IAM policy to each IAM user to deny kms:Encrypt and kms:Decrypt will not restrict other AWS services from using this CMK. IAM policies are used to control access to AWS resources by users, groups, and roles.

Option B is incorrect because configuring an IAM service role to allow kms:Encrypt and kms:Decrypt if the key is TestCMK will not restrict other AWS services from using this CMK. IAM roles are used to delegate permissions to entities that you trust. Attaching the IAM role to EC2 and RDS instances will allow these instances to use the TestCMK key, but other AWS services can still use it.

Option D is incorrect because kms:ValidTo is not a valid key policy option. kms:ValidTo is a condition key that can be used in an IAM policy to restrict access to a CMK based on the time.

Option C is the correct answer because we can use the kms:ViaService condition key to check if the request comes from ec2.us-west-2.amazonaws.com or rds.us-west-2.amazonaws.com. This will restrict the use of the TestCMK key to only EC2 and RDS services in the us-west-2 region.

To implement this solution, we need to follow these steps:

  1. Open the AWS KMS console and navigate to the TestCMK key.
  2. Click on the "Edit" button next to the "Key Policy" section.
  3. Add the following statement to the Key Policy:
json
{ "Sid": "RestrictAccessToEC2AndRDS", "Effect": "Deny", "Principal": "*", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:Describe*" ], "Resource": "*", "Condition": { "StringNotEquals": { "kms:ViaService": [ "ec2.us-west-2.amazonaws.com", "rds.us-west-2.amazonaws.com" ] } } }

This Key Policy statement denies all encryption and decryption requests to the TestCMK key except for those originating from EC2 and RDS services in the us-west-2 region.