Question 41:
As a DevOps engineer, you are helping the team to build up AWS services for a new project. Applications are deployed in two EC2 instances EC2A and EC2B. Both instances need to encrypt dozens of files using a Customer Master Key in KMS. The CMK has the below key policy:
{
"Id": "key-consolepolicy-1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:role/EC2RoleA",
"arn:aws:iam::123456789012:role/EC2RoleB"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
EC2RoleA is the role used by EC2A and does not have any IAM policy related to KMS. EC2RoleB is the role used by EC2B and has the below IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
Both IAM roles are within the same AWS account as the CMK. Are EC2A and EC2B able to use the key for encryption properly?
Answer options:
A.Both EC2A and EC2B can use the CMK properly. B.Both EC2A and EC2B are NOT able to use the CMK. C.EC2A is NOT able to use the CMK as IAM policy is lacking an allow action. EC2B can use the CMK. D.EC2A can use the CMK for encryption. However, EC2B cannot use the CMK.