SCS-C03 Question #21: Real Exam Question with Answer & Explanation

Question

A security engineer needs to control access to data that is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. The security engineer also needs to use additional authenticated data (AAD) to prevent tampering with ciphertext. Which solution will meet these requirements?

Options

• APass the key alias to AWS KMS when calling the Encrypt and Decrypt API actions.
• BUse IAM policies to restrict access to the Encrypt and Decrypt API actions.
• CUse the kms:EncryptionContext condition key when defining IAM policies for the customer
• DUse key policies to restrict access to the appropriate IAM groups.

Explanation

AWS KMS supports additional authenticated data (AAD) through the use of encryption context. According to the AWS Certified Security - Specialty documentation, encryption context is a set of key-value pairs that is cryptographically bound to the ciphertext. Any attempt to decrypt the data must include the same encryption context, or decryption will fail. This mechanism protects against ciphertext tampering and unauthorized reuse. The kms: EncryptionContext condition key allows security engineers to enforce the use of specific encryption context values in IAM or key policies. By defining conditions that require particular encryption context attributes, access to encrypted data can be tightly controlled and bound to specific applications, environments, or workflows. Option A does not provide integrity protection. Option B controls access but does not enforce the use of AAD. Option D restricts administrative access but does not address encryption context AWS documentation explicitly states that encryption context combined with policy conditions is the recommended method to implement authenticated encryption and fine-grained access control

No community discussion yet for this question.