AWS Certified Security - Specialty Exam: Minimum Set of Permissions for CMK Key Policies for Developers

Minimum Set of Permissions for CMK Key Policies

Question

You are the Security Administrator for your company.

You have to set the Key Policies for a set of users for a set of CMK keys.

These users are developers who need to have the ability to encrypt and decrypt large data files using CMK keys.

Which of the following is the minimum set of permissions that should be applied in the Key policies?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A.

This is also mentioned as an example in the AWS Documentation.

Options B is INCORRECT because the user needs to have the ability to generate the data keys.

Option C is INCORRECT because you should not allow users to create keys.

For more information on key policies, please visit the below URL.

https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
‘Allow use of the key",
: "Allow",
"Principal": {"AWS": [

“arn: aws > iam (111122223333: BUS en AMSUS er >

ncrypt",

‘eEncrypt*",
enerateDatakey*",
“kms :DescribeKey”

1,

“Resource”: “*"

As the Security Administrator for your company, you have been tasked with setting the Key Policies for a set of users for a set of CMK keys. The users are developers who need to have the ability to encrypt and decrypt large data files using CMK keys. The question is asking for the minimum set of permissions that should be applied in the Key policies.

Option A allows actions on kms:Encrypt, kms:Decrypt, kms:ReEncrypt*, kms:GenerateDataKey*, and kms:DescribeKey. This set of permissions allows the users to encrypt, decrypt, re-encrypt, generate data keys, and describe keys. This option provides more permissions than necessary because the users only need to encrypt and decrypt large data files. Hence, option A is not the minimum set of permissions that should be applied.

Option B allows actions on kms:Encrypt, kms:Decrypt, and kms:ReEncrypt*. This set of permissions allows the users to encrypt, decrypt, and re-encrypt. This option provides the necessary permissions for the users to encrypt and decrypt large data files. Hence, option B is the minimum set of permissions that should be applied.

Option C allows actions on kms:Encrypt, kms:Decrypt, kms:ReEncrypt*, kms:GenerateDataKey*, and kms:Create*. This set of permissions allows the users to encrypt, decrypt, re-encrypt, generate data keys, and create new keys. This option provides more permissions than necessary because the users only need to encrypt and decrypt large data files. Hence, option C is not the minimum set of permissions that should be applied.

Therefore, the correct answer is option B - Allow actions on kms:Encrypt, kms:Decrypt, and kms:ReEncrypt*.