Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

Amazon Exam SCS-C01 Topic 2 Question 65 Discussion

Actual exam question for Amazon's SCS-C01 exam
Question #: 65
Topic #: 2
[All SCS-C01 Questions]

A developer has created an AWS Lambda function in a company's development account. The Lambda function requires the use of an AWS Key Management Service (AWS KMS) customer managed key that exists in a security account that the company's security team controls. The developer obtains the ARN of the KMS key from a previous Lambda function in the development account. The previous Lambda function had been working properly with the KMS key.

When the developer uses the ARN and tests the new Lambda function an error message states that access is denied to the KMS key in the security account. The developer tests the previous Lambda function that uses the same KMS key and discovers that the previous Lambda function still can encrypt data as expected.

A security engineer must resolve the problem so that the new Lambda function in the development account can use the KMS key from the security account.

Which combination of steps should the security engineer take to meet these requirements? (Select TWO.)

Show Suggested Answer Hide Answer
Suggested Answer: C, E

To allow cross-account access to a KMS key, the key policy of the KMS key must grant permission to the external account or principal, and the IAM policy of the external account or principal must delegate the key policy permission. In this case, the new Lambda function in the development account needs to use the KMS key in the security account, so the key policy of the KMS key must allow access to the IAM role of the new Lambda function in the development account (option E), and the IAM role of the new Lambda function in the development account must have an IAM policy that allows access to the KMS key in the security account (option C). Option A is incorrect because it creates an IAM role for the new Lambda function in the security account, not in the development account. Option B is incorrect because it attaches a key policy to an IAM role, which is not valid. Option D is incorrect because it allows access to the IAM role of the new Lambda function in the security account, not in the development account. Verified Reference:

https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html

https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html


by Merilyn at Jul 10, 2024, 11:33 AM

Limited Time Offer

25%

Off

Get Premium SCS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Gregoria
4 months ago
Oof, this is a tough one. I'm leaning towards B and E. The security engineer needs to bridge the gap between the development and security accounts to get this resolved.
upvoted 0 times
Anastacia
3 months ago
B: E) Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the development account.
upvoted 0 times
...
Reuben
4 months ago
A: B) In the development account configure an IAM role for the new Lambda function. Attach a key policy that allows access to the KMS key in the security account.
upvoted 0 times
...
...
Jill
4 months ago
Haha, this reminds me of that time I accidentally locked myself out of my own house. Anyway, I'm going with B and E. Gotta make sure the roles and policies are set up correctly across both accounts.
upvoted 0 times
Lenora
3 months ago
B: Exactly, that way the new Lambda function can use the KMS key without any issues.
upvoted 0 times
...
Oneida
3 months ago
A: The key policy in the security account needs to allow access to the IAM role of the new Lambda function in the development account.
upvoted 0 times
...
Colene
3 months ago
B: Totally, and attaching a key policy that allows access to the KMS key in the security account is a must.
upvoted 0 times
...
Mary
4 months ago
A: Yeah, setting up the IAM role for the new Lambda function in the development account is crucial.
upvoted 0 times
...
...
Rossana
5 months ago
I think option E could also be a valid solution. Configuring a key policy for the KMS key to allow access to the IAM role in the development account.
upvoted 0 times
...
Nikita
5 months ago
Hmm, this seems like a tricky one. I'd go with B and D. Configuring the IAM role in the development account and the key policy in the security account should do the trick.
upvoted 0 times
Yuki
3 months ago
A: Let's go ahead and implement those steps to see if it resolves the problem with the Lambda function.
upvoted 0 times
...
Ezekiel
3 months ago
B: Agreed, setting up the IAM role in the development account and adjusting the key policy in the security account should resolve the access issue.
upvoted 0 times
...
Carlee
4 months ago
A: I think we should go with option B and D. That way we cover both the IAM role and key policy.
upvoted 0 times
...
Audry
4 months ago
Definitely, B and D seem like the right combination of steps to resolve the problem.
upvoted 0 times
...
Louis
4 months ago
Agreed, setting up the IAM role in the development account and the key policy in the security account should solve the issue.
upvoted 0 times
...
Blossom
4 months ago
I think B and D are the way to go. It's all about configuring the IAM role and key policy.
upvoted 0 times
...
...
Lavonna
5 months ago
I believe option A is correct. It makes sense to configure the IAM role and attach the necessary policy for access.
upvoted 0 times
...
Bernardo
5 months ago
I agree with Kyoko. They should also attach an IAM policy that allows access to the KMS key in the security account.
upvoted 0 times
...
Lashandra
5 months ago
I think the answer is B and E. The developer needs to configure an IAM role in the development account and attach a key policy in the security account to allow access to the KMS key.
upvoted 0 times
William
4 months ago
Developer: That makes sense, let's go ahead and make those changes.
upvoted 0 times
...
Cammy
4 months ago
Security Engineer: And in the security account, we should attach a key policy to allow access to the KMS key.
upvoted 0 times
...
Wenona
4 months ago
Security Engineer: Yes, in the development account we need to configure an IAM role for the new Lambda function.
upvoted 0 times
...
Mohammad
4 months ago
Developer: I think the answer is B and E.
upvoted 0 times
...
...
Kyoko
5 months ago
I think the security engineer should configure an IAM role for the new Lambda function in the security account.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77