DVA-C02 · Question #624
DVA-C02 Question #624: Real Exam Question with Answer & Explanation
The correct answer is A: Use a customer managed key to encrypt the files. Create a key policy that grants kms: Decrypt. Using a customer managed KMS key with a key policy granting decrypt permissions to the second AWS account ensures the second account can decrypt the encrypted files. Creating an S3 bucket policy granting the second AWS account permission to get objects allows secure cross-account
Question
A developer is using an AWS account to build an application that stores files in an Amazon S3 bucket. Files must be encrypted at rest by AWS KMS keys. A second AWS account must have access to read files from the bucket. The developer wants to minimize operational overhead for the application. Which combination of solutions will meet these requirements? (Choose two.)
Options
- AUse a customer managed key to encrypt the files. Create a key policy that grants kms: Decrypt
- BUse an AWS managed key to encrypt the files. Create a key policy that grants kms:Decrypt
- CCreate a service control policy (SCP) that grants s3:GetObject permissions to the second AWS
- DCreate a bucket policy for the S3 bucket that grants s3:GetObject permissions to the second
- ECreate a gateway endpoint for the S3 bucket. Modify the endpoint policy to grant s3:GetObject
Explanation
Using a customer managed KMS key with a key policy granting decrypt permissions to the second AWS account ensures the second account can decrypt the encrypted files. Creating an S3 bucket policy granting the second AWS account permission to get objects allows secure cross-account access to the bucket contents.
Community Discussion
No community discussion yet for this question.