Your company has created a set of keys using the AWS KMS service. They need to ensure that each key is only used for certain services. For example, they want one key to be used only for the S3 service.
How can this be achieved?
A . Create an IAM policy that allows the key to be accessed by only the S3 service.
B . Create a bucket policy that allows the key to be accessed by only the S3 service.
C . Use the kms:ViaService condition in the Key policy
D . Define an IAM user, allocate the key and then assign the permissions to the required service
Answer: C
Explanation:
Option A and B are invalid because mapping keys to services cannot be done via either the IAM or bucket policy
Option D is invalid because keys for IAM users cannot be assigned to services This is mentioned in the AWS Documentation
The kms:ViaService condition key limits use of a customer-managed CMK to requests from particular AWS services. (AWS managed CMKs in your account, such as aws/s3, are always restricted to the AWS service that created them.)
For example, you can use kms: V1aService to allow a user to use a customer managed CMK only for requests that Amazon S3 makes on their behalf. Or you can use it to deny the user permission to a CMK when a request on their behalf comes from AWS Lambda. For more information on key policy’s for KMS please visit the following URL: https://docs.aws.amazon.com/kms/latest/developereuide/policy-conditions.html
The correct answer is: Use the kms:ViaServtce condition in the Key policy Submit your Feedback/Queries to our Experts
Leave a Reply