nerdexam
ExamsDEA-C01Questions#186
AmazonAmazon

DEA-C01 · Question #186

DEA-C01 Question #186: Real Exam Question with Answer & Explanation

The correct answer is E: Add the KMS key as a resource that the QuickSight service role can access.. To enable cross-account access for Amazon QuickSight to an S3 bucket encrypted by AWS KMS, given the S3 bucket policy is already updated, the critical missing step is to update the KMS key policy in the key's owning account.

Data Security and Governance

Question

A company uses Amazon S3 to store data and Amazon QuickSight to create visualizations, The company has an S3 bucket in an AWS account named Hub-Account. The S3 bucket is encrypted by an AWS Key Management Service (AWS KMS) key. The company's QuickSight instance is in a separate account named BI-Account. The company updates the S3 bucket policy to grant access to the QuickSight service role. The company wants to enable cross-account access to allow QuickSight to interact with the S3 bucket. Which combination of steps will meet this requirement? (Choose two.)

Options

  • AUse the existing AWS KMS key to encrypt connections from QuickSight to the S3 bucket.
  • BAdd the S3 bucket as a resource that the QuickSight service role can access.
  • CUse AWS Resource Access Manager (AWS RAM) to share the S3 bucket with the BI-Account
  • DAdd an IAM policy to the QuickSight service role to give QuickSight access to the KMS key that
  • EAdd the KMS key as a resource that the QuickSight service role can access.

Explanation

To enable cross-account access for Amazon QuickSight to an S3 bucket encrypted by AWS KMS, given the S3 bucket policy is already updated, the critical missing step is to update the KMS key policy in the key's owning account.

Common mistakes.

  • A. The KMS key encrypts the S3 objects at rest, not the connection from QuickSight to the S3 bucket; connection encryption (like TLS) is handled separately and is not the primary cross-account access challenge here.
  • B. The question states that the S3 bucket policy has already been updated to grant access to the QuickSight service role, making this step redundant as per the problem description.
  • C. AWS Resource Access Manager (RAM) is primarily used for sharing certain AWS resources like subnets, transit gateways, or license configurations, but not directly for sharing S3 buckets or KMS keys in a manner that resolves cross-account access for QuickSight data sources.
  • D. While an IAM policy attached to the QuickSight service role is also required to allow it to make KMS API calls, the fundamental cross-account permission must first be granted by the KMS key's resource policy, making the key policy modification the foundational step for resource access.

Concept tested. Cross-account S3 access with KMS encryption

Reference. https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-example-cross-account-access

Topics

#Cross-account access#KMS key policies#S3 encryption#QuickSight integration

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full DEA-C01 PracticeBrowse All DEA-C01 Questions