nerdexam
Amazon

DVA-C02 · Question #704

A developer is updating an application to store data in an Amazon S3 bucket. The application and the S3 bucket are in the same AWS account. The data needs to be encrypted by an AWS KMS key. The data m

The correct answer is B. Use a customer managed KMS key to encrypt the data. E. Update the KMS key policy to allow access from the second AWS account.. A customer managed KMS key is required to grant cross-account access, unlike AWS managed keys which are limited to a single account. The KMS key policy must explicitly grant usage permissions to the second AWS account so it can decrypt the data encrypted with the key.

Submitted by chiamaka_o· Mar 5, 2026Security

Question

A developer is updating an application to store data in an Amazon S3 bucket. The application and the S3 bucket are in the same AWS account. The data needs to be encrypted by an AWS KMS key. The data must be accessible to an application that runs in a second AWS account. The developer has already created a bucket policy that allows the second AWS account to access the S3 bucket. Which combination of steps should the developer take to meet these requirements? (Choose two.)

Options

  • AUse an AWS managed KMS key to encrypt the data.
  • BUse a customer managed KMS key to encrypt the data.
  • CUpdate the S3 bucket policy to allow access to the KMS key.
  • DUpdate the KMS key policy to allow access from the S3 bucket.
  • EUpdate the KMS key policy to allow access from the second AWS account.

How the community answered

(36 responses)
  • A
    6% (2)
  • B
    61% (22)
  • C
    11% (4)
  • D
    22% (8)

Explanation

A customer managed KMS key is required to grant cross-account access, unlike AWS managed keys which are limited to a single account. The KMS key policy must explicitly grant usage permissions to the second AWS account so it can decrypt the data encrypted with the key.

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice