The answer in the Q: You would like to limit the use of a KMS CMK to requests which originate from S3 only, how would you configure this?
Use the kms:ViaService Condition Key in the Key Policy
Use the kms:ViaService Condition Key in the KMS ACL
Use the kms:ViaService Condition Key in the S3 Bucket Policy
Use the kms:ViaService Condition Key in the IAM Policy
I chose IAM Policy over Key Policy, however, only Key Policy was marked as the correct answer. This is untrue since the condition kms:ViaService can be used in both Key Policy and IAM Policy according to AWS Documentation, "The kms:ViaService condition key is valid in IAM and key policy statements." [1]
[1] Using Policy Conditions with AWS KMS. Retrieved from https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-via-service
1 Answers
Thank you I will double check the question and see if I can work out what’s happening!
Faye
Perhaps it’s best to convert the selection in this question to tickbox instead of radiobuttons so we can select two answers.