SCS-C02 Question #449: Real Exam Question with Answer & Explanation

Question

A security engineer is working with a development team to design a supply chain application that stores sensitive inventory data in an Amazon S3 bucket. The application will use an AWS Key Management Service (AWS KMS) customer managed key to encrypt the data in Amazon S3. The inventory data in Amazon S3 will be shared with hundreds of vendors. All vendors will use AWS principals from their own AWS accounts to access the data in Amazon S3. The vendor list might change weekly. The security engineer needs to find a solution that supports cross-account access. Which solution is the MOST operationally efficient way to manage access control for the customer managed key?

Options

• AUse KMS grants to manage key access. Programmatically create and revoke grants to manage
• BUse am IAM role to manage key access. Programmatically update the IAM role policies to
• CUse KMS key policies to manage key access. Programmatically update the KMS key policies to
• DUse delegated access across AWS accounts by using IAM roles to manage key access.

Explanation

KMS grants provide a scalable and efficient way to manage access to AWS KMS customer- managed keys, especially for cross-account access. Grants allow you to specify who can use the key and what operations they can perform on it without needing to modify the KMS key policy itself. Grants are flexible and can be created, modified, and revoked programmatically, making them ideal for situations where the vendor list changes frequently. This approach minimizes operational overhead while allowing the security engineer to dynamically control access to the KMS key as vendor requirements change.

No community discussion yet for this question.