AWS KMS Policy

Question

Can someone help me with question below? Choose 2

{

“Effect”: “Allow”

“Principal”: {“AWS”: “arn:aws:iam::111122223333:root”),

“Action”: “kms:*”;

“Resource”: “*”

}

A. The policy allows access for the AWS account 111122223333 to manage key access though IAM policies.

B. The policy allows all IAM users in account 111122223333 to have full access to the KMS key.

C. The policy allows the root user in account 111122223333 to have full access to the KMS key.

D. The policy allows the KMS service-linked role in account 111122223333 to have full access to the KMS key.

E. The policy allows all IAM roles in account 111122223333 to have full access to the KMS key.

dswdan Answered 2 years ago · Answer 1 · 2019-04-18 21:08:54

dswdan

Answered 2 years ago

This example enables IAM policies. This means that if this is in place as part of your key’s policy, you can then use IAM policies to give IAM users and roles in the account access to the CMK (A). By default it also enables the root user of account 111122223333 access (C).

systems-user Answered 2 years ago · Answer 2 · 2019-04-19 08:03:46

systems-user

Answered 2 years ago

Best answer is:

A and C

Faye Ellis Answered 2 years ago · Answer 3 · 2019-04-26 11:02:02

Faye Ellis

Answered 2 years ago

Check out the following documentation which should help you work out the answer!

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html

Alec Whitehouse Answered 2 years ago · Answer 4 · 2019-04-26 17:02:32

Alec Whitehouse

Answered 2 years ago

I really like this re:Invent 2017 video: https://www.youtube.com/watch?v=X1eZjXQ55ec

Explanation of this policy begins at 22:56. Delegates all KMS actions to IAM.

AWS KMS Policy

4 Answers

Newsletter