AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A team of data custodians must regularly oversee the lifecycle of encrypted backups. What is the most secure and auditable way to give them the required permissions to manage the customer-managed AWS KMS key that encrypts those backups?
Create a separate customer-managed key for each custodian so they can manage their own backups.
Grant the data custodians full kms:* access through an IAM inline policy only, leaving the key policy unchanged.
Use a bucket policy on the backup Amazon S3 bucket to give custodians access; the key permissions will be inherited automatically.
Attach a key policy to the AWS KMS key that grants a dedicated data-custodian IAM role the required key-management permissions.
Attach a key policy to the customer-managed KMS key that lists a dedicated IAM role (for the data custodians) as a principal and grants that role only the specific kms:* administrative permissions it needs (for example, EnableKeyRotation, ScheduleKeyDeletion). Key policies are the primary and recommended mechanism for controlling access to an individual KMS key, provide fine-grained and auditable control, and allow the principle of least privilege to be enforced. IAM policies alone cannot grant access unless the key policy explicitly allows them, and creating separate keys or using unrelated resource policies introduces unnecessary complexity without additional security benefits.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Identity and Access Management (IAM) in AWS?
Open an interactive chat with Bash
What are key management services, and why are they important for encrypted backups?
Open an interactive chat with Bash
What does the principle of least privilege mean in the context of IAM?