AWS Certified Security – Specialty — Question 73

A Security Engineer is looking for a way to control access to data that is being encrypted under a CMK. The Engineer is also looking to use additional authenticated data (AAD) to prevent tampering with ciphertext.
Which action would provide the required functionality?

Answer options

• A. Pass the key alias to AWS KMS when calling Encrypt and Decrypt API actions.
• B. Use IAM policies to restrict access to Encrypt and Decrypt API actions.
• C. Use kms:EncryptionContext as a condition when defining IAM policies for the CMK.
• D. Use key policies to restrict access to the appropriate IAM groups.

Correct answer: C

Explanation

The correct answer is C because using kms:EncryptionContext as a condition in IAM policies allows for the use of additional authenticated data (AAD) which helps in preventing tampering with the ciphertext. Options A and B do not specifically address the requirement for AAD, while D focuses on key policy restrictions without considering AAD functionality.