SOA-C02 · Question #713
SOA-C02 Question #713: Real Exam Question with Answer & Explanation
The correct answer is A: Create a customer managed KMS key. Add a resource policy that allows the Lambda function to. Use a customer managed KMS key so you can grant the Lambda role kms:Decrypt and kms:DescribeKey, then re‐encrypt the secret with that key. Also attach a resource policy on the secret that lets the Lambda role call secretsmanager:GetSecretValue. Together, these permissions allow c
Question
A company has a security AWS account and a production AWS account. The company stores API keys as a secret in AWS Secrets Manager in the security account. The company uses an AWS Key Management Service (AWS KMS) AWS managed key to encrypt the secret. An AWS Lambda function in the production account returns an error when the function attempts to access the secret. Which combination of actions in the security account will allow the Lambda function to access the secret? (Choose two.)
Options
- ACreate a customer managed KMS key. Add a resource policy that allows the Lambda function to
- BCreate a customer managed KMS key. Add a resource policy that allows the Lambda function to
- CUpdate the AWS managed KMS key's resource policy. In the policy, allow the Lambda function to
- DAdd a resource policy to the secret. In the policy, allow the Lambda function to perform the
- EAdd a resource policy to the secret. In the policy, allow the Lambda function to perform the
Explanation
Use a customer managed KMS key so you can grant the Lambda role kms:Decrypt and kms:DescribeKey, then re‐encrypt the secret with that key. Also attach a resource policy on the secret that lets the Lambda role call secretsmanager:GetSecretValue. Together, these permissions allow cross‐account retrieval and decryption.
Community Discussion
No community discussion yet for this question.