Q18 — AWS DVA-C02 Ch.3

Question 18 of 100 | ← Chapter 3

A developer is writing an IAM policy document to grant administrators access to AWS Key Management Service (AWS KMS) for federated identity users. The federated IAM role name is FederatedIAMRole, and the username is KeyAdmin. How should the developer specify the principal in the KMS key policy to meet these requirements?

Correct Answer: D. "Principal": {"AWS": "arn:aws:sts::123456789012:assumed-role/FederatedIAMRole/KeyAdmin"}

Explanation

For federated users assuming an IAM role, the principal ARN in a KMS key policy must use the `assumed-role` format, reflecting the temporary security credentials issued after role assumption. Option D correctly uses `arn:aws:sts::123456789012:assumed-role/FederatedIAMRole/KeyAdmin`, which matches the expected ARN structure for assumed roles. Option A incorrectly uses `role/`, which refers to the role itself—not the assumed session. Options B and C use invalid ARN formats (`user/`) for federated role sessions.