Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

$2 OFF ALL AWS, Azure, Google Cloud & Kubernetes Practice Exams!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Security – Specialty AWS Certified Security – Specialty Practice Exams 2020 – Question 56 – KMS root

  • AWS Certified Security – Specialty Practice Exams 2020 – Question 56 – KMS root

  • lokeai

    Member
    August 10, 2020 at 7:28 pm

    Hello, I’m reviewing the answers for a question and I believe they are not correct.

    A Security Administrator prepared a new AWS Key Management Service (AWS KMS) key with the following key policy:

    {

    “Sid”: “Enable Tutorials Dojo Permissions”,

    “Effect”: “Allow”,

    “Principal”: {

    “AWS”: “arn:aws:iam::111122223333:root”

    },

    “Action”: “kms:*”,

    “Resource”: “*”

    }

    The correct answers should be

    Allows all IAM users in 111122223333 AWS Account to have full access to the KMS key.

    Allows access for the 111122223333 AWS account to manage the KMS key access through IAM policies.

    However, you are mentioning that “Allows the root user in the 111122223333 AWS Account to have full access to the KMS key.” This is not correct according to https://www.youtube.com/watch?v=X1eZjXQ55ec from 23 minutes. Thank you!

  • lokeai

    Member
    August 10, 2020 at 10:38 pm

    I have another question.

    A media company runs a Python script that uses the AWS CLI command aws s3 cp to upload a large file to an Amazon S3 bucket, which includes an AWS KMS key. An Access Denied error always shows up whenever their developers upload a file with a size of 10 GB or more. However, when they tried to upload a smaller file with the KMS key, the upload succeeds.

    Which of the following are potential reasons why this issue is happening? (Select TWO.)”

    You said that these are correct:

    The AWS CLI S3 commands perform a multipart upload when the file is large.

    The IAM policy of the developer does not include the kms:Decrypt permission.

    However, they are able to decrypt smaller than 10gb so KMS:decrypt is not a solution, right?

    • lokeai

      Member
      August 12, 2020 at 12:22 am

      These are all the possible answers:

      The kms:Encrypt permission is missing from the IAM policy of the developers.

      The AWS CLI S3 commands perform a multipart upload when the file is large.

      There is an attached inline policy in the developers’ IAM permissions that restricts them from uploading a file with a size of 10 GB or more.

      The IAM policy of the developer does not include the kms:Decrypt permission.

      10 GB is the maximum size that can be encrypted in KMS.

    • Jon-Bonso

      Administrator
      August 12, 2020 at 7:57 am

      Hi,

      Take note that the scenario did NOT say that they were able to decrypt smaller files. It only said:

      “…they tried to upload a smaller file with the KMS key, the upload succeeds.”

      It clearly said upload, not decrypt. Kindly check the provided explanation and reference links:

      https://aws.amazon.com/premiumsupport/knowledge-center/s3-large-file-encryption-kms-key

      https://aws.amazon.com/premiumsupport/knowledge-center/s3-multipart-kms-decrypt/

      • lokeai

        Member
        August 12, 2020 at 3:16 pm

        Perfect. Good point. Thanks John! How about the first question?

        • Jon-Bonso

          Administrator
          September 3, 2020 at 8:35 am

          For the first question, you have a valid point. I have rectified this incorrect statement.

          Thanks again!

  • Jon-Bonso

    Administrator
    September 3, 2020 at 8:34 am

    Thanks for bringing this up to our attention and for sharing the relevant AWS YouTube video. I have updated the option regarding the “root user” for the IAM Policy. The change will be reflected in our practice tests soon.

    Cheers,

    Jon Bonso @ Tutorials Dojo

Viewing 1 - 3 of 3 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now