AWS Certified Security – Specialty SCS-C01 – Question133

An Amazon EC2 instance is denied access to a newly created AWS KMS CMK used for decrypt actions. The environment has the following configuration:

  • The instance is allowed the kms:Decrypt action in its IAM role for all resources
  • The AWS KMS CMK status is set to enabled
  • The instance can communicate with the KMS API using a configured VPC endpoint

What is causing the issue?

A.
The kms:GenerateDataKey permission is missing from the EC2 instance’s IAM role
B. The ARN tag on the CMK contains the EC2 instance’s ID instead of the instance’s ARN
C. The kms:Encrypt permission is missing from the EC2 IAM role
D. The KMS CMK key policy that enables IAM user permissions is missing

Correct Answer: D

Explanation:

Explanation: In a key policy, you use “*” for the resource, which means “this CMK.” A key policy applies only to the CMK it is attached to Reference: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies….