SCS-C02 Question #466: Real Exam Question with Answer & Explanation

Question

A security engineer is implementing a logging solution for a company's AWS environment. The security engineer has configured an AWS CloudTrail trail in the company's AWS account. The logs are stored in an Amazon S3 bucket for a third-party service provider to monitor. The service provider has a designated IAM role to access the S3 bucket. The company requires all logs to be encrypted at rest with a customer managed key. The security engineer uses AWS Key Management Service (AWS KMS) to create the customer managed key and key policy. The security engineer also configures CloudTrail to use the key to encrypt the trail. When the security engineer implements this configuration, the service provider no longer can read the logs. What should the security engineer do to allow the service provider to read the logs?

Options

• AEnsure that the S3 bucket policy allows access to the service provider's role to decrypt objects.
• BAdd a statement to the key policy to allow the service provider's role the kms:Decrypt action for
• CAdd the AWSKeyManagementServicePowerUser AWS managed policy to the service provider's
• DMigrate the key to AWS Certificate Manager (ACM) to create a shared endpoint for access to the

Explanation

When using a customer-managed AWS KMS key to encrypt CloudTrail logs, any role or principal that needs to read (decrypt) the logs must have permission to use the kms:Decrypt action on the key. By adding a statement to the key policy that grants kms:Decrypt access to the service provider's IAM role, the security engineer can ensure that the service provider has the necessary permissions to decrypt and read the encrypted logs in the S3 bucket.

No community discussion yet for this question.