AWS Certified Security – Specialty SCS-C01 – Question108

A Security Engineer is looking for a way to control access to data that is being encrypted under a CMK. The Engineer is also looking to use additional authenticated data (AAD) to prevent tampering with ciphertext. Which action would provide the required functionality?

A.
Pass the key alias to AWS KMS when calling Encrypt and DecryptAPI actions.
B. Use IAM policies to restrict access to Encrypt and DecryptAPI actions.
C. Use kms:EncryptionContextas a condition when defining IAM policies for the CMK.
D. Use key policies to restrict access to the appropriate IAM groups.

Correct Answer: D

Explanation: