AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 224

A company uses an Amazon Elastic Kubernetes Service (Amazon EKS) cluster to deploy its web applications on containers. The web applications contain confidential data that cannot be decrypted without specific credentials.

A DevOps engineer has stored the credentials in AWS Secrets Manager. The secrets are encrypted by an AWS Key Management Service (AWS KMS) customer managed key. A Kubernetes service account for a third-party tool makes the secrets available to the applications. The service account assumes an IAM role that the company created to access the secrets.

The service account receives an Access Denied (403 Forbidden) error while trying to retrieve the secrets from Secrets Manager.

What is the root cause of this issue?

Answer options

• A. The IAM role that is attached to the EKS cluster does not have access to retrieve the secrets from Secrets Manager.
• B. The key policy for the customer managed key does not allow the Kubernetes service account IAM role to use the key.
• C. The key policy for the customer managed key does not allow the EKS cluster IAM role to use the key.
• D. The IAM role that is assumed by the Kubernetes service account does not have permission to access the EKS cluster.

Correct answer: B

Explanation

The correct answer is B because the Kubernetes service account's IAM role must have permissions defined in the key policy to decrypt the secrets stored in AWS Secrets Manager. If the key policy does not allow the service account's role to use the KMS key, it will lead to the Access Denied error. The other options do not directly address the issue of key policy permissions related to the service account's ability to access Secrets Manager.