Q53 — AWS SOA-C02 Ch.1
Question 53 of 100 | ← Chapter 1
A company is partnering with an external vendor to provide data processing services. For this integration, the vendor must host the company's data in an Amazon S3 bucket in the vendor's AWS account. The vendor is allowing the company to provide an AWS Key Management Service (AWS KMS) key to encrypt the company's data. The vendor has provided an IAM role Amazon Resources Name (ARN) to the company for this integration. What should a SysOps administrator do to configure this integration?
- A. Create a new KMS key. Add the vendor's IAM role ARN to the KMS key policy. Provide the new KMS key ARN to the vendor. ✓
- B. Create a new KMS key. Create a new IAM key. Add the vendor's IAM role ARN to an inline policy that is attached to the IAM user. Provide the new IAM user ARN to the vendor.
- C. Configure encryption using the KMS managed S3 key. Add the vendor's IAM role ARN to the KMS key policy. Provide the KMS managed S3 key ARN to the vendor.
- D. Configure encryption using the KMS managed S3 key. Create an S3 bucket. Add the vendor's IAM role ARN to the S3 bucket policy. Provide the S3 bucket ARN to the vendor.
Correct Answer: A. Create a new KMS key. Add the vendor's IAM role ARN to the KMS key policy. Provide the new KMS key ARN to the vendor.
Explanation
AWS KMS密钥策略需要授权外部账户的IAM角色访问权限。根据AWS文档,跨账户访问KMS密钥需在密钥策略中明确添加对方的角色ARN。选项A创建新KMS密钥并添加供应商角色ARN到策略,允许其使用密钥。选项B涉及IAM用户,不符合供应商提供的角色ARN场景。选项C和D使用AWS托管密钥,但题干要求公司提供自有KMS密钥。选项A正确配置了密钥策略以实现跨账户加密。