AWS Certified Security – Specialty (SCS-C03) — Question 14

A security team manages a company's AWS Key Management Service (AWS KMS) customer managed keys. Only members of the security learn can administer the KMS keys. The company’s application team has a software process that needs temporary access to the keys occasionally. The security team needs to provide the application team's software process with access to the keys.
Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Export the KMS key material to an on-premises hardware security module (HSM). Give the application team access to the key material.
• B. Edit the key policy that grants the security team access to the KMS keys by adding the application team as principals. Revert this change when the application team no longer needs access
• C. Create a key grant to allow the application team to use the KMS keys. Revoke the grant when the application team no longer needs access.
• D. Create a new KMS key by generating key material on promises. Import the key material to AWS KMS whenever the application team needs access. Grant the application team permissions to use the key.

Correct answer: C

Explanation

Option C is the most efficient solution as it allows the security team to create a key grant for the application team, which can be easily revoked once access is no longer required, thus minimizing operational overhead. Options A and D involve unnecessary complexity and management of key material outside of AWS, while Option B requires modifying the key policy, which could lead to potential security risks if not reverted properly.