AWS Certified Developer – Associate (DVA-C02) — Question 531

A developer has an application that runs in AWS Account A. The application must retrieve an AWS Secrets Manager secret that is encrypted by an AWS Key Management Service (AWS KMS) key from AWS Account B. The application’s role has permissions to access the secret in Account B.

The developer must add a statement to the KMS key’s key policy to allow the role in Account A to use the KMS key in Account B. The permissions must grant least privilege access to the role.

Which permissions will meet these requirements?

Answer options

• A. kms:Decrypt and kms:DescribeKey
• B. secretsmanager:DescribeSecret and secretsmanager:GetSecretValue
• C. kms:*
• D. secretsmanager:*

Correct answer: A

Explanation

To successfully retrieve and decrypt the cross-account secret, the application's IAM role requires permission to decrypt the data using the KMS key, which is accomplished via kms:Decrypt and kms:DescribeKey. Granting kms:* violates the principle of least privilege as it provides full administrative access to the KMS key. The secretsmanager:* and secretsmanager:GetSecretValue permissions are not valid actions inside a KMS key policy and are already configured on the application's role.