Your team creates a Customer Managed Key (CMK) in KMS in an AWS account (111122223333)
The key is supposed to be used by another account (444455556666) for encryption and decryption operations.
At the moment, it is known that only IAM user Bob and IAM role Admin in the account (444455556666) need access.
Which configurations are required together to achieve this requirement? (Select TWO.)
Click on the arrows to vote for the correct answer
A. B. C. D. E.Correct Answer - B, D.
Check https://docs.aws.amazon.com/en_pv/kms/latest/developerguide/key-policy-modifying-external-accounts.html on how to allow users or roles in other accounts to use a CMK.
Option A is incorrect: Because this key policy gives the external account (or users and roles in the external account) permission and violates the 'principle of least privilege.'
Option B is CORRECT: Because this follows the 'principle of least privilege' by giving permission only to "Admin" and "Bob" as per the requirements stated.
Option C is incorrect: Because only "arn:aws:iam::444455556666:root" is not required.
Option D is CORRECT: In account 444455556666, IAM policies can be used to configure the permissions to use the key in another account.
This option will work together with.
Option A to assign permissions.
Option E is incorrect: Because the field should be "Resource" instead of "Principal" in IAM policies as it controls which resources to be allowed for IAM entities.
The correct answers for this question are A and B.
Explanation: To allow IAM user Bob and IAM role Admin in the account (444455556666) to use the Customer Managed Key (CMK) created in KMS in another AWS account (111122223333) for encryption and decryption operations, two configurations are required together:
A. Edit the Principal of the key policy as below: "Principal": { "AWS": [ "arn:aws:iam::444455556666:root" ] }
This configuration allows the AWS account 444455556666 root user to use the CMK. However, it's not recommended to grant access to the root user unless it's necessary.
B. Edit the Principal of the key policy as below: "Principal": { "AWS": [ "arn:aws:iam::444455556666:role/Admin", "arn:aws:iam::444455556666:user/Bob" ] }
This configuration allows IAM user Bob and IAM role Admin in the account (444455556666) to use the CMK. This is a better approach as it follows the least privilege principle.
C. Edit the Principal of the key policy as below: "Principal": { "AWS": [ "arn:aws:iam::444455556666:root", "arn:aws:iam::444455556666:role/Admin", "arn:aws:iam::444455556666:user/Bob" ] }
Option C is not necessary because option B already includes the required IAM user and IAM role.
D. In account 444455556666, allow the KMS encryption and decryption actions as below: "Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
Option D is not necessary because the question states that the key is supposed to be used by another account (111122223333), and the question specifically asks for the required configurations to achieve the given requirement.
E. In account 444455556666, allow the KMS encryption and decryption actions as below: "Principal": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
Option E is incorrect because it specifies the principal as the CMK itself, which doesn't make sense. The key policy should specify the AWS account or IAM user/role that's allowed to use the CMK.