You are using Amazon RDS as a relational database for your web application in AWS. All your data stored in Amazon RDS is encrypted using AWS KMS. Encrypting this data is handled by a separate team of 4 users (User A, B, C, & D) in the Security Team. They have created 2 CMK’s for the encryption of data. During the annual Audit, Auditors raised concerns for access to these CMK’s for each user. Security Team has the following IAM Policy & Key Policy set for AWS KMS.
· CMK1 is created by AWS KMS API & has a default Key policy.
· CMK2 is the default key policy created by AWS Management console & allows User
D.· User C has IAM Policy denying all action for CMK1 while allowing for CMK2.
· User A & User B has IAM Policy allowing access to CMK1 while denying access to CMK2.
· User D has an IAM policy allowing full access to AWS KMS.
Which of the following is the correct statement for access each user has for AWS KMS CMK?

Answer options:

A.User A & B can use the only CMK1, user C cannot use CMK1, while user D can use both CMK1 & CMK2.
B.User A & B can use CMK1& CMK2, user C can use only CMK2, while user D can use both CMK1 & CMK2.
C.User A & B can use CMK1, user C can use CMK1 & CMK2, while user D can use both CMK1 & CMK2.
D.User A & B can use only CMK1, user C can use only CMK2, while user D cannot use both CMK1 & CMK2.

Correct Answer – A
Access to AWS KMS CMK is a combination of both Key policy & IAM policy. IAM Policy should grant access to a user for AWS KMS. At the same time, Key Policy is used to control access to CMK in AWS KMS.
Option B is incorrect as User A & B do not have the IAM policy to access CMK2.
Option C is incorrect as User C is not allowed to access CMK1.
Option D is incorrect as User D has an IAM policy & Key Policy to use both CMK1 & CMK2.
For more information on determining access to AWS KMS CMK, refer to the following URL-
https://docs.aws.amazon.com/kms/latest/developerguide/determining-access.html