AWS Certified Security – Specialty — Question 497

A Development team has asked for help configuring the IAM roles and policies in a new AWS account. The team using the account expects to have hundreds of master keys and therefore does not want to manage access control for customer master keys (CMKs).
Which of the following will allow the team to manage AWS KMS permissions in IAM without the complexity of editing individual key policies?

Answer options

• A. The account's CMK key policy must allow the account's IAM roles to perform KMS EnableKey.
• B. Newly created CMKs must have a key policy that allows the root principal to perform all actions.
• C. Newly created CMKs must allow the root principal to perform the kms CreateGrant API operation.
• D. Newly created CMKs must mirror the IAM policy of the KMS key administrator.

Correct answer: B

Explanation

To manage KMS permissions using IAM policies rather than modifying individual key policies, the key policy of each CMK must delegate control to the AWS account root principal (which represents the account itself). By granting the root principal full access to the CMK, IAM policies can then be used to define specific KMS permissions for users and roles within that account. Options A, C, and D do not establish this delegation of authority, which is required to leverage IAM policies for KMS administration.