AWS Certified Developer – Associate — Question 180

A developer is writing an IAM policy document that grants administrator access to AWS Key Management Service (AWS KMS) for a federated user. The federated IAM role name is FederatedIAMRole. The user name is KeyAdmin.

How should the developer set the principal in the KMS key policy to meet these requirements?

Answer options

• A. “Principal”: { “AWS”: “arn:aws:sts::123456789012:role/FederatedIAMRole/KeyAdmin” }
• B. “Principal”: { “AWS”: “arn:aws:sts::123456789012:user/FederatedIAMRole/KeyAdmin” }
• C. “Principal”: { “AWS”: “arn:aws:sts::123456789012:user/KeyAdmin” }
• D. “Principal”: { “AWS”: “arn:aws:sts::123456789012:assumed-role/FederatedIAMRole/KeyAdmin” }

Correct answer: D

Explanation

The correct answer is D because it specifies the ARN of the assumed role for the federated user. Options A and B are incorrect because they incorrectly reference the role and user structures. Option C is also wrong as it only references the user without the context of the role, which is needed for federated access.