AWS Certified Security – Specialty (SCS-C02) — Question 248

A security engineer is working with a development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket. The application will use an AWS Key Management Service (AWS KMS) customer managed key to encrypt the data in Amazon S3.

The inventory data in Amazon S3 will be shared with hundreds of vendors. All vendors will use AWS principals from their own AWS accounts to access the data in Amazon S3. The vendor list might change weekly. The security engineer needs to find a solution that supports cross-account access.

Which solution is the MOST operationally efficient way to manage access control for the customer managed key?

Answer options

• A. Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.
• B. Use am IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access.
• C. Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access.
• D. Use delegated access across AWS accounts by using IAM roles to manage key access. Programmatically update the IAM trust policy to manage cross-account vendor access.

Correct answer: A

Explanation

Option A is correct because KMS grants allow for efficient management of access to the customer managed key, enabling the engineer to programmatically create and revoke grants as vendors change. Options B and C require more complex policy updates and do not provide the same level of operational efficiency. Option D, while feasible, introduces additional complexity with trust policy management compared to using KMS grants.