As a DevOps engineer, you are helping the team to build up AWS services for a new project.
Applications are deployed in two EC2 instances EC2A and EC2B.
Both instances need to encrypt dozens of files using a Customer Master Key in KMS.
The CMK has the below key policy: { "Id": "key-consolepolicy-1", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::123456789012:role/EC2RoleA", "arn:aws:iam::123456789012:role/EC2RoleB" ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" } ] } EC2RoleA is the role used by EC2A and does not have any IAM policy related to KMS.
EC2RoleB is the role used by EC2B and has the below IAM policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Deny", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:DescribeKey" ], "Resource": "*" } ] } Both IAM roles are within the same AWS account as the CMK.
Are EC2A and EC2B able to use the key for encryption properly?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - D.
Refer to.
https://docs.aws.amazon.com/kms/latest/developerguide/control-access.htmlfor how to perform the access control for KMS via key policy and IAM policy.
In this case, the key and IAM roles are within the same AWS account and there is already an explicit allow in the key policy for both EC2RoleA and EC2RoleB.
In the IAM role policy, as long as there is no explicit deny, the EC2 instances using the IAM role can use the key.
As a result, EC2A allows encryption action.
However, for EC2B, there will be an AccessDeniedException since the role has an explicit deny.
Options A and C are incorrect: Refer to the above.
Option D is CORRECT: Because explicit deny always takes priority.
The sequence of evaluating policies is “explicit deny” > “explicit allow” > “implicit deny”
The general policy evaluation logic within AWS can be found in.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html.The answer to this question is option D. EC2A can use the CMK for encryption. However, EC2B cannot use the CMK.
Explanation:
The key policy of the CMK allows both EC2RoleA and EC2RoleB to use the key for encryption, decryption, and other related actions. Therefore, EC2A and EC2B are both authorized to use the key for encryption.
However, the IAM policy attached to EC2RoleB explicitly denies the "kms:Decrypt," "kms:Encrypt," and "kms:DescribeKey" actions for all KMS resources. This means that EC2B cannot use the key for encryption, decryption, or even describe the key.
In contrast, EC2RoleA does not have any IAM policy related to KMS, so EC2A can use the key for encryption without any issues.
In summary, both instances are authorized to use the key for encryption, but only EC2A can actually use it due to the IAM policy attached to EC2RoleB. Therefore, the correct answer is option D.