Question 453:
Your team creates a Customer Managed Key (CMK) in KMS in an AWS account (111122223333). The key is supposed to be used by another account (444455556666) for encryption and decryption operations. At the moment, it is known that only IAM user Bob and IAM role Admin in the account (444455556666) need access. Which configurations are required together to achieve this requirement? (Select TWO.)
Answer options:
A.Edit the Principal of the key policy as below:
"Principal": {
"AWS": [
"arn:aws:iam::444455556666:root"
]
}
B.Edit the Principal of the key policy as below:
"Principal": {
"AWS": [
"arn:aws:iam::444455556666:role/Admin",
"arn:aws:iam::444455556666:user/Bob"
]
}
C.Edit the Principal of the key policy as below:
"Principal": {
"AWS": [
"arn:aws:iam::444455556666:root",
"arn:aws:iam::444455556666:role/Admin",
"arn:aws:iam::444455556666:user/Bob"
]
}
D.In account 444455556666, allow the KMS encryption and decryption actions as below:
"Resource":
"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
E.In account 444455556666, allow the KMS encryption and decryption actions as below:
"Principal": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"