Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam SCS-C01 Topic 2 Question 65 Discussion

Actual exam question for Amazon's SCS-C01 exam
Question #: 65
Topic #: 2
[All SCS-C01 Questions]

A developer has created an AWS Lambda function in a company's development account. The Lambda function requires the use of an AWS Key Management Service (AWS KMS) customer managed key that exists in a security account that the company's security team controls. The developer obtains the ARN of the KMS key from a previous Lambda function in the development account. The previous Lambda function had been working properly with the KMS key.

When the developer uses the ARN and tests the new Lambda function an error message states that access is denied to the KMS key in the security account. The developer tests the previous Lambda function that uses the same KMS key and discovers that the previous Lambda function still can encrypt data as expected.

A security engineer must resolve the problem so that the new Lambda function in the development account can use the KMS key from the security account.

Which combination of steps should the security engineer take to meet these requirements? (Select TWO.)

Show Suggested Answer Hide Answer
Suggested Answer: C, E

To allow cross-account access to a KMS key, the key policy of the KMS key must grant permission to the external account or principal, and the IAM policy of the external account or principal must delegate the key policy permission. In this case, the new Lambda function in the development account needs to use the KMS key in the security account, so the key policy of the KMS key must allow access to the IAM role of the new Lambda function in the development account (option E), and the IAM role of the new Lambda function in the development account must have an IAM policy that allows access to the KMS key in the security account (option C). Option A is incorrect because it creates an IAM role for the new Lambda function in the security account, not in the development account. Option B is incorrect because it attaches a key policy to an IAM role, which is not valid. Option D is incorrect because it allows access to the IAM role of the new Lambda function in the security account, not in the development account. Verified Reference:

https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html

https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html


Contribute your Thoughts:

Gregoria
15 days ago
Oof, this is a tough one. I'm leaning towards B and E. The security engineer needs to bridge the gap between the development and security accounts to get this resolved.
upvoted 0 times
Reuben
5 days ago
A: B) In the development account configure an IAM role for the new Lambda function. Attach a key policy that allows access to the KMS key in the security account.
upvoted 0 times
...
...
Jill
26 days ago
Haha, this reminds me of that time I accidentally locked myself out of my own house. Anyway, I'm going with B and E. Gotta make sure the roles and policies are set up correctly across both accounts.
upvoted 0 times
Mary
16 days ago
A: Yeah, setting up the IAM role for the new Lambda function in the development account is crucial.
upvoted 0 times
...
...
Rossana
1 months ago
I think option E could also be a valid solution. Configuring a key policy for the KMS key to allow access to the IAM role in the development account.
upvoted 0 times
...
Nikita
1 months ago
Hmm, this seems like a tricky one. I'd go with B and D. Configuring the IAM role in the development account and the key policy in the security account should do the trick.
upvoted 0 times
Carlee
2 days ago
A: I think we should go with option B and D. That way we cover both the IAM role and key policy.
upvoted 0 times
...
Audry
15 days ago
Definitely, B and D seem like the right combination of steps to resolve the problem.
upvoted 0 times
...
Louis
20 days ago
Agreed, setting up the IAM role in the development account and the key policy in the security account should solve the issue.
upvoted 0 times
...
Blossom
29 days ago
I think B and D are the way to go. It's all about configuring the IAM role and key policy.
upvoted 0 times
...
...
Lavonna
1 months ago
I believe option A is correct. It makes sense to configure the IAM role and attach the necessary policy for access.
upvoted 0 times
...
Bernardo
2 months ago
I agree with Kyoko. They should also attach an IAM policy that allows access to the KMS key in the security account.
upvoted 0 times
...
Lashandra
2 months ago
I think the answer is B and E. The developer needs to configure an IAM role in the development account and attach a key policy in the security account to allow access to the KMS key.
upvoted 0 times
William
5 days ago
Developer: That makes sense, let's go ahead and make those changes.
upvoted 0 times
...
Cammy
6 days ago
Security Engineer: And in the security account, we should attach a key policy to allow access to the KMS key.
upvoted 0 times
...
Wenona
7 days ago
Security Engineer: Yes, in the development account we need to configure an IAM role for the new Lambda function.
upvoted 0 times
...
Mohammad
27 days ago
Developer: I think the answer is B and E.
upvoted 0 times
...
...
Kyoko
2 months ago
I think the security engineer should configure an IAM role for the new Lambda function in the security account.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77