AWS Certified SysOps Administrator – Associate — Question 22

A company is partnering with an external vendor to provide data processing services. For this integration, the vendor must host the company's data in an Amazon
S3 bucket in the vendor's AWS account. The vendor is allowing the company to provide an AWS Key Management Service (AWS KMS) key to encrypt the company's data. The vendor has provided an IAM role Amazon Resources Name (ARN) to the company for this integration.
What should a SysOps administrator do to configure this integration?

Answer options

• A. Create a new KMS key. Add the vendor's IAM role ARN to the KMS key policy. Provide the new KMS key ARN to the vendor.
• B. Create a new KMS key. Create a new IAM key. Add the vendor's IAM role ARN to an inline policy that is attached to the IAM user. Provide the new IAM user ARN to the vendor.
• C. Configure encryption using the KMS managed S3 key. Add the vendor's IAM role ARN to the KMS key policy. Provide the KMS managed S3 key ARN to the vendor.
• D. Configure encryption using the KMS managed S3 key. Create an S3 bucket. Add the vendor's IAM role ARN to the S3 bucket policy. Provide the S3 bucket ARN to the vendor.

Correct answer: A

Explanation

The correct answer is A because creating a new KMS key and adding the vendor's IAM role ARN to the KMS key policy ensures that the vendor can encrypt the company's data securely. Options B and D are incorrect because they involve unnecessary additional IAM users or S3 bucket policies that do not directly address the requirement for KMS key access. Option C is incorrect as it suggests using a managed S3 key instead of a new KMS key, which does not meet the specified requirement.