Amazon Exam SCS-C01 Topic 2 Question 65 Discussion

Actual exam question for Amazon's SCS-C01 exam

Question #: 65
Topic #: 2

A developer has created an AWS Lambda function in a company's development account. The Lambda function requires the use of an AWS Key Management Service (AWS KMS) customer managed key that exists in a security account that the company's security team controls. The developer obtains the ARN of the KMS key from a previous Lambda function in the development account. The previous Lambda function had been working properly with the KMS key.

When the developer uses the ARN and tests the new Lambda function an error message states that access is denied to the KMS key in the security account. The developer tests the previous Lambda function that uses the same KMS key and discovers that the previous Lambda function still can encrypt data as expected.

A security engineer must resolve the problem so that the new Lambda function in the development account can use the KMS key from the security account.

Which combination of steps should the security engineer take to meet these requirements? (Select TWO.)

AIn the security account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

BIn the development account configure an IAM role for the new Lambda function. Attach a key policy that allows access to the KMS key in the security account.

CIn the development account configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

DConfigure a key policy for the KMS key m the security account to allow access to the IAM role of the new Lambda function in the security account.

EConfigure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the development account.

Show Suggested Answer

Suggested Answer: C, E

To allow cross-account access to a KMS key, the key policy of the KMS key must grant permission to the external account or principal, and the IAM policy of the external account or principal must delegate the key policy permission. In this case, the new Lambda function in the development account needs to use the KMS key in the security account, so the key policy of the KMS key must allow access to the IAM role of the new Lambda function in the development account (option E), and the IAM role of the new Lambda function in the development account must have an IAM policy that allows access to the KMS key in the security account (option C). Option A is incorrect because it creates an IAM role for the new Lambda function in the security account, not in the development account. Option B is incorrect because it attaches a key policy to an IAM role, which is not valid. Option D is incorrect because it allows access to the IAM role of the new Lambda function in the security account, not in the development account. Verified Reference:

https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html

https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html

by Merilyn at Jul 10, 2024, 11:33 AM

Limited Time Offer

25%

Off

Get Premium SCS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Gregoria

13 days ago

Oof, this is a tough one. I'm leaning towards B and E. The security engineer needs to bridge the gap between the development and security accounts to get this resolved.

upvoted 0 times

Reuben

3 days ago

A: B) In the development account configure an IAM role for the new Lambda function. Attach a key policy that allows access to the KMS key in the security account.

upvoted 0 times

...

2 months ago

I think the answer is B and E. The developer needs to configure an IAM role in the development account and attach a key policy in the security account to allow access to the KMS key.

upvoted 0 times