Ends in

ALL AWS Specialty Practice Exams for only $17.99 $13.99 each!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Security – Specialty Section-Based – Data Protection (Security)

  • Section-Based – Data Protection (Security)

  • Zackn

    October 7, 2021 at 3:24 am

    Hi, Please review the answers for this question, as I don’t believe they are 100% correct. The question is as follow:

    A Security Administrator is managing the access controls of the company’s customer keys in AWS KMS. These permissions allow other AWS principals to access a CMK, provide temporary permissions or grant more granular permissions.

    What are the resource-based access control mechanisms that AWS KMS supports? (Select TWO.)

    1. Service-linked role

    2. Service control policy

    x3. Grants

    4. permissions boundary

    x5. key policies

    The correct answer is marked as 3 and 5.

    5 is indeed correct, as it is a resource-based policy. However, grants are, from what I can find on AWS documentations, are part of the Identity-based policies, and therefore not a resource-based policy. AWS clearly mentions that resource-based policies are key-policies, NOT grants.




    Quotes from the references above:

    “Policies attached to an IAM identity are called identity-based policies (or IAM policies), and policies attached to other kinds of resources are called resource-based policies. In AWS KMS, you must attach resource-based policies to your KMS keys. These are called key policies. All KMS keys have a key policy.”

    ” Use grants in combination with the key policy – You can use grants in combination with the key policy to allow access to a KMS key. Controlling access this way enables you to allow access to the KMS key in the key policy, and to allow users to delegate their access to others.”

    “To allow access to a KMS key, you must use the key policy, either alone or in combination with IAM policies or grants.”

  • Carlo-TutorialsDojo

    October 8, 2021 at 3:36 am

    Hello Zackn,

    The question says ‘resource-based access control mechanism’ and not resourced-based policy.

    Let me know what you think.


    Carlo @ Tutorials Dojo

  • Zackn

    October 8, 2021 at 3:43 am

    Hi Carlo,

    In this case, “resource-based” is not the right term to use, because the only thing at AWS which refers to “resource-based” is, really and usually, the resource-based policy attached to a service like S3 or KMS…

    I believe the question should have been: what access control mechanisms AWS KMS supports, and the answer would be: key policies, IAM, and grants. AWS is explicit to have us know that the key policies are crucial and mandatory to have in place (in other words, we cannot ONLY use IAM policies).

    • This reply was modified 2 years, 8 months ago by  Zackn.
    • This reply was modified 2 years, 8 months ago by  Zackn.
    • Carlo-TutorialsDojo

      October 9, 2021 at 3:13 am

      Hello Zack,

      AWS used to refer to grants and key policies as “resource-based access control mechanism” in their docs but it seems that too is already updated. Nonetheless, I concur. In this scenario, I also think that the term “access control” is sufficient. Thank you for making the suggestion.


      Carlo @ Tutorials Dojo

Viewing 1 - 3 of 3 replies

Log in to reply.

Original Post
0 of 0 posts June 2018