Home › Forums › AWS › AWS Certified Security – Specialty › AWS Certified Security – Specialty Practice Exams 2020 – Question 56 – KMS root
-
AWS Certified Security – Specialty Practice Exams 2020 – Question 56 – KMS root
-
Hello, I’m reviewing the answers for a question and I believe they are not correct.
A Security Administrator prepared a new AWS Key Management Service (AWS KMS) key with the following key policy:
{
“Sid”: “Enable Tutorials Dojo Permissions”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::111122223333:root”
},
“Action”: “kms:*”,
“Resource”: “*”
}
The correct answers should be
Allows all IAM users in 111122223333 AWS Account to have full access to the KMS key.
Allows access for the 111122223333 AWS account to manage the KMS key access through IAM policies.
However, you are mentioning that “Allows the root user in the 111122223333 AWS Account to have full access to the KMS key.” This is not correct according to https://www.youtube.com/watch?v=X1eZjXQ55ec from 23 minutes. Thank you!
-
I have another question.
“
A media company runs a Python script that uses the AWS CLI command aws s3 cp to upload a large file to an Amazon S3 bucket, which includes an AWS KMS key. An Access Denied error always shows up whenever their developers upload a file with a size of 10 GB or more. However, when they tried to upload a smaller file with the KMS key, the upload succeeds.
Which of the following are potential reasons why this issue is happening? (Select TWO.)”
You said that these are correct:
The AWS CLI S3 commands perform a multipart upload when the file is large.
The IAM policy of the developer does not include the kms:Decrypt permission.
However, they are able to decrypt smaller than 10gb so KMS:decrypt is not a solution, right?
-
These are all the possible answers:
The kms:Encrypt permission is missing from the IAM policy of the developers.
The AWS CLI S3 commands perform a multipart upload when the file is large.
There is an attached inline policy in the developers’ IAM permissions that restricts them from uploading a file with a size of 10 GB or more.
The IAM policy of the developer does not include the kms:Decrypt permission.
10 GB is the maximum size that can be encrypted in KMS.
-
Hi,
Take note that the scenario did NOT say that they were able to decrypt smaller files. It only said:
“…they tried to upload a smaller file with the KMS key, the upload succeeds.”
It clearly said upload, not decrypt. Kindly check the provided explanation and reference links:
https://aws.amazon.com/premiumsupport/knowledge-center/s3-large-file-encryption-kms-key
https://aws.amazon.com/premiumsupport/knowledge-center/s3-multipart-kms-decrypt/
-
Perfect. Good point. Thanks John! How about the first question?
-
For the first question, you have a valid point. I have rectified this incorrect statement.
Thanks again!
-
-
-
-
Thanks for bringing this up to our attention and for sharing the relevant AWS YouTube video. I have updated the option regarding the “root user” for the IAM Policy. The change will be reflected in our practice tests soon.
Cheers,
Jon Bonso @ Tutorials Dojo
Log in to reply.