AWS Certified Security – Specialty — Question 260

A company's engineering team is developing a new application that creates AWS Key Management Service (AWS KMS) CMK grants for users. Immediately after a grant is created, users must be able to use the CMK to encrypt a 512-byte payload. During load testing, a bug appears intermittently where
AccessDeniedExceptions are occasionally triggered when a user first attempts to encrypt using the CMK.
Which solution should the company's security specialist recommend?

Answer options

• A. Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.
• B. Instruct the engineering team to consume a random grant token from users, and to call the CreateGrant operation, passing it the grant token. Instruct users to use that grant token in their call to encrypt.
• C. Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name as the grant token in the call to encrypt.
• D. Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.

Correct answer: D

Explanation

The correct answer is D because it ensures that users are using the grant token that is specifically issued for their session, which prevents AccessDeniedExceptions due to timing issues. Option A does not address the root cause of the issue, while options B and C introduce unnecessary complexity by using random grant tokens or names, which could lead to more errors.