AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A team of data custodians must regularly oversee the lifecycle of encrypted backups. Which method most effectively secures the necessary key management service while allowing the custodians controlled and auditable access?
Assign policies within the key management service to the custodian accounts
Create individual keys for each data custodian's personal account management
Utilize Identity and Access Management policies to tailor custodian privileges to the key management service
Implement access using resource-based policies to ensure custodians can manage their scope of work
Using Identity and Access Management policies to grant the necessary privileges to the data custodians conforms to the standard security practice of defining access controls through policies, offering flexibility and fine-grained permissions. It upholds the principle of least privilege. Directly embedding policies in keys is less flexible and not best practice. Assigning individual keys per user is inefficient and complicates oversight and clearance audits, whereas resource-level permissions generally govern access to the actual data or resources and do not address key management permissions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Identity and Access Management (IAM) in AWS?
Open an interactive chat with Bash
What are key management services, and why are they important for encrypted backups?
Open an interactive chat with Bash
What does the principle of least privilege mean in the context of IAM?