Home › Forums › AWS › AWS Certified Security – Specialty › Section-Based – Data Protection (Security)
-
Section-Based – Data Protection (Security)
-
Hi, Please review the answers for this question, as I don’t believe they are 100% correct. The question is as follow:
A Security Administrator is managing the access controls of the company’s customer keys in AWS KMS. These permissions allow other AWS principals to access a CMK, provide temporary permissions or grant more granular permissions.
What are the resource-based access control mechanisms that AWS KMS supports? (Select TWO.)
1. Service-linked role
2. Service control policy
x3. Grants
4. permissions boundary
x5. key policies
The correct answer is marked as 3 and 5.
5 is indeed correct, as it is a resource-based policy. However, grants are, from what I can find on AWS documentations, are part of the Identity-based policies, and therefore not a resource-based policy. AWS clearly mentions that resource-based policies are key-policies, NOT grants.
References:
https://docs.aws.amazon.com/<wbr>kms/latest/developerguide/<wbr>control-access-overview.html
https://docs.aws.amazon.com/<wbr>kms/latest/developerguide/<wbr>grants.html
Quotes from the references above:
“Policies attached to an IAM identity are called identity-based policies (or IAM policies), and policies attached to other kinds of resources are called resource-based policies. In AWS KMS, you must attach resource-based policies to your KMS keys. These are called key policies. All KMS keys have a key policy.”
” Use grants in combination with the key policy – You can use grants in combination with the key policy to allow access to a KMS key. Controlling access this way enables you to allow access to the KMS key in the key policy, and to allow users to delegate their access to others.”
“To allow access to a KMS key, you must use the key policy, either alone or in combination with IAM policies or grants.”
-
Hello Zackn,
The question says ‘resource-based access control mechanism’ and not resourced-based policy.
Let me know what you think.
Regards,
Carlo @ Tutorials Dojo
-
Hi Carlo,
In this case, “resource-based” is not the right term to use, because the only thing at AWS which refers to “resource-based” is, really and usually, the resource-based policy attached to a service like S3 or KMS…
I believe the question should have been: what access control mechanisms AWS KMS supports, and the answer would be: key policies, IAM, and grants. AWS is explicit to have us know that the key policies are crucial and mandatory to have in place (in other words, we cannot ONLY use IAM policies).
-
Hello Zack,
AWS used to refer to grants and key policies as “resource-based access control mechanism” in their docs but it seems that too is already updated. Nonetheless, I concur. In this scenario, I also think that the term “access control” is sufficient. Thank you for making the suggestion.
Regards,
Carlo @ Tutorials Dojo
- This reply was modified 3 years ago by Carlo-TutorialsDojo.
-
Log in to reply.