AWS Certified Security – Specialty — Question 94

A Security Engineer is working with the development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket. The application will use an AWS KMS customer master key (CMK) to encrypt the data on Amazon S3. The inventory data on Amazon S3 will be shared of vendors. All vendors will use AWS principals from their own AWS accounts to access the data on Amazon S3. The vendor list may change weekly, and the solution must support cross-account access.
What is the MOST efficient way to manage access control for the KMS CMK7?

Answer options

• A. Use KMS grants to manage key access. Programmatically create and revoke grants to manage vendor access.
• B. Use an IAM role to manage key access. Programmatically update the IAM role policies to manage vendor access.
• C. Use KMS key policies to manage key access. Programmatically update the KMS key policies to manage vendor access.
• D. Use delegated access across AWS accounts by using IAM roles to manage key access. Programmatically update the IAM trust policy to manage cross- account vendor access.

Correct answer: A

Explanation

The correct answer is A because KMS grants allow for efficient and dynamic management of key access, making it easy to create and revoke access for vendors as their list changes weekly. Options B and C require more manual policy updates, which would be less efficient for frequently changing vendor access. Option D, while viable, introduces unnecessary complexity compared to using KMS grants.