An Application team has requested a new AWS KMS master key for use with Amazon S3, but the organizational security policy requires separate master keys for different AWS services to limit blast radius. How can an AWS KMS customer master key (CMK) be constrained to work with only Amazon S3?
A) Configure the CMK key policy to allow only the Amazon S3 service to use the kms:Encrypt action.
B) Configure the CMK key policy to allow AWS KMS actions only when the kms:ViaService condition matches the Amazon S3 service name.
C) Configure the IAM user's policy to allow KMS to pass a role to Amazon S3.
D) Configure the IAM user's policy to allow only Amazon S3 operations when they are combined with the CMK.
Correct Answer:
Verified
Q82: A recent security audit found that AWS
Q83: A company is operating an open-source software
Q84: A company is migrating its legacy workloads
Q85: For compliance reasons, a Security Engineer must
Q86: A company has an encrypted Amazon S3
Q88: A Security Administrator is restricting the capabilities
Q89: A company's Developers plan to migrate their
Q90: A Security Engineer manages AWS Organizations for
Q91: A company has decided to migrate sensitive
Q92: A Development team has built an experimental
Unlock this Answer For Free Now!
View this answer and more for free by performing one of the following actions
Scan the QR code to install the App and get 2 free unlocks
Unlock quizzes for free by uploading documents