You are reviewing the Key policy attached to one of your CMKs and you notice the following statement: {
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/betty"
},
"Action": [
"kms:Encrypt"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": [
"lambda.us-west-2.amazonaws.com"
]
What does this mean?
a. The policy prevents the CMK from being used for any encrypt operations unless the request comes from Lambda in us-west-2
b. The policy prevents the CMK from being used for encrypt operations unless the request comes from the user betty
c. The policy prevents the CMK from being used when the request comes from AWS Lambda on behalf of the user betty
d. The policy prevents the CMK from being used for encrypt operations when the request comes from AWS Lambda on behalf of the user bettySELECTED
e. The policy prevents the CMK from being used for encrypt operations if the request comes from the user betty
f. The policy allows the CMK from being used for encrypt operations unless the request comes from Lambda in us-west-2
The closest answer is d but it misses the region (us-west-2) information in the answer and thus it can not be a complete answer.
1 Answers
Yes option d is closest. But technically it is correct – it will deny from any region – unless it explicitly allowed from that region. We don’t have that based on the policy snippet.
Yeah but poorly worded option it should have said us-west region.
I agree. A better worded question would prevent confusions that could creep on especially when we are crossing all wrong options.