Amazon Exam SCS-C01 Topic 1 Question 50 Discussion

Actual exam question for Amazon's SCS-C01 exam

Question #: 50
Topic #: 1

Your company has created a set of keys using the IAM KMS service. They need to ensure that each key is only used for certain services. For example , they want one key to be used only for the S3 service. How can this be achieved?

Please select:

ACreate an IAM policy that allows the key to be accessed by only the S3 service.

BCreate a bucket policy that allows the key to be accessed by only the S3 service.

CUse the kms:ViaService condition in the Key policy

DDefine an IAM user, allocate the key and then assign the permissions to the required service

Show Suggested Answer

Suggested Answer: A, D, E

https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html

To get objects from an S3 bucket that are encrypted with a KMS customer managed key, the security team needs to have the following factors in place:

The IAM instance profile that is attached to the EC2 instance must allow the s3:GetObject action to the S3 bucket or object in the AWS account. This permission is required to read the object from S3. Option A is incorrect because it specifies the s3:ListBucket action, which is only required to list the objects in the bucket, not to get them.

The KMS key policy that encrypts the object in the S3 bucket must allow the kms:Decrypt action to the EC2 instance profile ARN. This permission is required to decrypt the object using the KMS key. Option D is correct.

The security group that is attached to the EC2 instance must have an outbound rule to the S3 managed prefix list over port 443. This rule is required to allow HTTPS traffic from the EC2 instance to S3 within the AWS infrastructure. Option E is correct. Option B is incorrect because it specifies the s3:ListParts action, which is only required for multipart uploads, not for getting objects. Option C is incorrect because it specifies the kms:ListKeys action, which is not required for getting objects. Option F is incorrect because it specifies an inbound rule from the S3 managed prefix list, which is not required for getting objects. Verified Reference:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html

https://docs.aws.amazon.com/kms/latest/developerguide/control-access.html

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html

by Jutta at Nov 22, 2023, 03:28 PM

Limited Time Offer

25%

Off

Get Premium SCS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

1 years ago

Hmm, this question seems pretty straightforward. I think the key issues here are around the IAM permissions and the KMS key policy. We definitely need to make sure the EC2 instance has the right permissions to list the S3 bucket and decrypt the objects using the KMS key.

upvoted 0 times

...