AWS Certified Security – Specialty (SCS-C02) — Question 290

A security engineer is implementing a logging solution for a company’s AWS environment. The security engineer has configured an AWS CloudTrail trail in the company’s AWS account. The logs are stored in an Amazon S3 bucket for a third-party service provider to monitor. The service provider has a designated IAM role to access the S3 bucket.

The company requires all logs to be encrypted at rest with a customer managed key. The security engineer uses AWS Key Management Service (AWS KMS) to create the customer managed key and key policy. The security engineer also configures CloudTrail to use the key to encrypt the trail.

When the security engineer implements this configuration, the service provider no longer can read the logs.

What should the security engineer do to allow the service provider to read the logs?

Answer options

• A. Ensure that the S3 bucket policy allows access to the service provider’s role to decrypt objects.
• B. Add a statement to the key policy to allow the service provider’s role the kms:Decrypt action for the key.
• C. Add the AWSKeyManagementServicePowerUser AWS managed policy to the service provider’s role.
• D. Migrate the key to AWS Certificate Manager (ACM) to create a shared endpoint for access to the key.

Correct answer: B

Explanation

When S3 objects are encrypted with a customer managed KMS key, the accessing IAM role must be granted explicit permission to decrypt using that key, which must be configured in the KMS key policy. Modifying the S3 bucket policy alone is insufficient because KMS permissions are governed separately by the key policy. Other options, such as using AWS Certificate Manager or attaching standard AWS managed policies, do not correctly address the cross-account KMS key policy requirement.