Home › Forums › AWS › AWS Certified Security – Specialty › KMS and VPC Endpoints answers not clear
-
KMS and VPC Endpoints answers not clear
-
In this question: “A company has an application that heavily uses AWS KMS to encrypt financial data. A Security Engineer has been instructed to ensure that communications between the company’s VPC and AWS KMS do not pass through the public Internet.”
It says this is correct: “In the AWS KMS key policy, add a new aws:sourceVpc condition and reference the VPC ID.”
And it says this is incorrect: “Modify the AWS KMS key policy to include the aws:sourceVpce condition and reference the VPC endpoint ID.”
In the answer review, it goes on to state the following: “The option that says: In the AWS KMS key policy, add a new aws:sourceVpc condition and reference the VPC ID is incorrect because you have to use aws:sourceVpce condition instead of the aws:sourceVpc condition that directly refers to the VPC and not to the VPC Endpoint. In addition, you have to specify the VPC endpoint ID and not the VPC ID.“
<font face=”inherit”>However looking at the official </font>documentation<font face=”inherit”> </font>here<font face=”inherit”>, and here, </font> <font face=”inherit” style=”font-family: inherit; font-size: inherit;”>you will see that using aws:sourceVpc is </font>definitely<font face=”inherit” style=”font-family: inherit; font-size: inherit;”> supported for this scenario. It provides similar restrictions to </font>aws:sourceVpce while supporting the existence of multiple VPC endpoints inside a single VPC. The question doesn’t state anything about requiring all traffic to go through one specific VPC endpoint, it simply states the requirement of ensuring traffic does not pass through the public Internet, which aws:sourceVpc would certainly accomplish.
-
Hi Mark,
Could you kindly expound your issue, please? The provided answers in this scenario are:
– Modify the AWS KMS key policy to include the aws:sourceVpce condition and reference the VPC endpoint ID.
– Set up a new VPC endpoint for AWS KMS with private DNS enabled.
It doesn’t say that the former is incorrect. It’s the other way around.
If you are using a VPC Endpoint, the communication between your VPC and AWS KMS is conducted entirely within the AWS network and doesn’t pass through the public Internet.
Regarding the aws:sourceVpc condition, this is useful if you have multiple VPC endpoints configured in the same VPC. This means that you still have to use VPC Endpoints in order for you to use this condition.
I acknowledge that the aws:sourceVpc condition could possibly be a valid answer here however, the scenario fails to mention that the VPC already has existing VPC endpoints. If this option says “… launch multiple VPC endpoints in the VPC and include the aws:sourceVpc condition”, then yes, this is a valid answer but the scenario doesn’t warrant the use of multiple VPC endpoints in the first place.
To avoid any further issues, I’ll revise the option to clear up this ambiguity.
Thanks again for sharing your thoughts and let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!
Regards,
Jon Bonso @ Tutorials Dojo
-
Yes I’m simply saying aws:sourceVpc could be a valid answer here. The details provided after the question don’t give a good reason for why it isn’t valid.
-
Yup, thanks Mark, and I agree with you. The aws:sourceVpc condition is a valid answer as well on certain conditions mentioned above.
Cheers,
Jon Bonso
-
Log in to reply.