Home › Forums › AWS › AWS Certified Security – Specialty › KMS and VPC Endpoints answers not clear › Reply To: KMS and VPC Endpoints answers not clear
-
Hi Mark,
Could you kindly expound your issue, please? The provided answers in this scenario are:
– Modify the AWS KMS key policy to include the aws:sourceVpce condition and reference the VPC endpoint ID.
– Set up a new VPC endpoint for AWS KMS with private DNS enabled.
It doesn’t say that the former is incorrect. It’s the other way around.
If you are using a VPC Endpoint, the communication between your VPC and AWS KMS is conducted entirely within the AWS network and doesn’t pass through the public Internet.
Regarding the aws:sourceVpc condition, this is useful if you have multiple VPC endpoints configured in the same VPC. This means that you still have to use VPC Endpoints in order for you to use this condition.
I acknowledge that the aws:sourceVpc condition could possibly be a valid answer here however, the scenario fails to mention that the VPC already has existing VPC endpoints. If this option says “… launch multiple VPC endpoints in the VPC and include the aws:sourceVpc condition”, then yes, this is a valid answer but the scenario doesn’t warrant the use of multiple VPC endpoints in the first place.
To avoid any further issues, I’ll revise the option to clear up this ambiguity.
Thanks again for sharing your thoughts and let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!
Regards,
Jon Bonso @ Tutorials Dojo