Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Security – Specialty Section-Based – Data Protection (Security)

  • Section-Based – Data Protection (Security)

  • Zackn

    October 7, 2021 at 4:27 am

    The question states:

    A Security Administrator prepared a new AWS Key Management Service (AWS KMS) key with the following key policy:

      "Sid": "Enable Tutorials Dojo Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
      "Action": "kms:*",
      "Resource": "*"

    What does the above policy do? (Select TWO.)

    The correct answers were:

    1. Allows the AWS IAM service of the 111122223333 AWS Account to delegate permissions and KMS actions.

    2. Allows access for the 111122223333 AWS account to manage the KMS key access through IAM policies.

    My comments: Well, the two answers are actually redundant: they do the same thing. What the other answer should be, is to mention the very important point, which according to the docs of AWS mentions:

    The default key policy gives the AWS account (root user) that owns the KMS key full access to the KMS key”

    “You cannot delete your AWS account root user, so allowing access to this user reduces the risk of the KMS key becoming unmanageable”

    So the default policy serves 2 purposes: to prevent a locked-CMK (via the key policy), and to allow IAM policies to be used as an access method to the CMK.

  • Carlo-TutorialsDojo

    October 8, 2021 at 3:31 am

    Hello Zackn,

    Thanks for your insights.

    Hmm. Interesting. It looks like AWS has reinvented the meaning of the default KMS policy. If you watch this clip ( of Matt Bretan from AWS re:invent (2017), he clearly said that the “root” in that Principal does not refer to the root user but rather delegating KMS permissions to IAM.

    It appears that the KMS documentation has been updated.

    We will look into this and apply the necessary change.


    Carlo @ Tutorials Dojo

  • Zackn

    October 8, 2021 at 3:56 am

    Thanks, yes that video is more than 4 years old, a lot of things happened in AWS since 4 months ago 🙂

    KMS is one of those services where a lot of changes happen quietly, so the AWS docs are the best sources for that. I have seen in some cases that the AWS docs dont reflect the actual production quickly enough!

Viewing 1 - 3 of 3 replies

Log in to reply.

Original Post
0 of 0 posts June 2018