DVA-C02 · Question #553
A company uses two AWS accounts: production and development. The company stores data in an Amazon S3 bucket that is in the production account. The data is encrypted with an AWS Key Management Service
The correct answer is B. Create a new customer managed KMS key in the development account. Specify the production. Option B is correct because customer managed KMS keys in the development account support custom key policies, which can explicitly grant principals from the production account permission to use the key - this is exactly what's needed to encrypt data being copied cross-account. A
Question
A company uses two AWS accounts: production and development. The company stores data in an Amazon S3 bucket that is in the production account. The data is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. The company plans to copy the data to another S3 bucket that is in the development account. A developer needs to use a KMS key to encrypt the data in the S3 bucket that is in the development account. The KMS key in the development account must be accessible from the production account. Which solution will meet these requirements?
Options
- AReplicate the customer managed KMS key from the production account to the development
- BCreate a new customer managed KMS key in the development account. Specify the production
- CCreate a new AWS managed KMS key for Amazon S3 in the development account. Specify the
- DReplicate the default AWS managed KMS key for Amazon S3 from the production account to the
How the community answered
(33 responses)- A3% (1)
- B76% (25)
- C6% (2)
- D15% (5)
Explanation
Option B is correct because customer managed KMS keys in the development account support custom key policies, which can explicitly grant principals from the production account permission to use the key - this is exactly what's needed to encrypt data being copied cross-account.
A is wrong because KMS keys cannot be replicated or exported between accounts; they are bound to the account and region where they were created.
C is wrong because AWS managed keys (like aws/s3) do not allow modification of their key policies, so you cannot grant cross-account access to them - only customer managed keys support that.
D is wrong for both reasons above: AWS managed keys cannot be replicated, and even if they could, their policies are not modifiable to permit cross-account use.
Memory tip: Think "Customer Managed = Customizable." Only customer managed KMS keys let you edit the key policy to add external account principals. Whenever a question involves cross-account KMS access, the answer will always involve a customer managed key with an updated key policy.
Topics
Community Discussion
No community discussion yet for this question.