Certified Security - Specialty

Sign Up Free or Log In to participate!

Grant tokens need to be explained better

Not so much a question as feedback on the course. Grant tokens are only mentioned in passing in the topic on grants. I got a detailed question on this concept in my recent exam, and know for certain that I got it wrong. In preparation for the exam, I highly recommend reading the grant documentation https://docs.aws.amazon.com/kms/latest/developerguide/grants.html, but to explain grant tokens:

When a grant is created, the underlying permissions are applied on an "eventual consistency" basis. Once the grant is in effect, the user doesn’t need to pass any additional information to the cli/api in order to take advantage of the newly granted permissions. To ensure the user can use the grant immediately, the create grant api returns a grant token which can be used until the grant has taken effect.

Eric Woo

Thanks for this. I think the "eventual consistency" applies to revoking grant too. When I tested this after revoking the grant, it seems that the user profile can still run kms encrypt. The AccessDenied error only appear after several minutes.

0 Answers

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?