An Application team has requested a new AWS KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different AWS services to limit blast radius. How can an AWS KMS customer master key (CMK) be constrained to work with only Amazon S3?

Topic #: - All AWS Certified Security - Specialty Questions

A. Configure the CMK key policy to allow only the Amazon S3 service to use the kms:Encrypt action.
B. Configure the CMK key policy to allow AWS KMS actions only when the kms:ViaService condition matches the Amazon S3 service name. Most Voted
C. Configure the IAM user’s policy to allow KMS to pass a role to Amazon S3.
D. Configure the IAM user’s policy to allow only Amazon S3 operations when they are combined with the CMK.

- Awsexamhub website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

An Application team has requested a new AWS KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different AWS services to limit blast radius. How can an AWS KMS customer master key (CMK) be constrained to work with only Amazon S3?

Suggested Answer:

Reference Material:

An Application team has requested a new AWS KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different AWS services to limit blast radius. How can an AWS KMS customer master key (CMK) be constrained to work with only Amazon S3?

Suggested Answer:

Reference Material:

Share this post

Join the Discussion