{"id":333,"date":"2022-02-09T05:51:09","date_gmt":"2022-02-09T05:51:09","guid":{"rendered":"https:\/\/exampracticetests.com\/aws\/Security-Specialty_SCS-C01\/aws-certified-security-specialty-scs-c01-question267\/"},"modified":"2022-02-09T05:51:09","modified_gmt":"2022-02-09T05:51:09","slug":"aws-certified-security-specialty-scs-c01-question267","status":"publish","type":"post","link":"https:\/\/exampracticetests.com\/aws\/Security-Specialty_SCS-C01\/aws-certified-security-specialty-scs-c01-question267\/","title":{"rendered":"AWS Certified Security – Specialty SCS-C01 – Question267"},"content":{"rendered":"
A user in account 111122223333 is receiving an access denied error message while calling the AWS Key Management Service (AWS KMS) GenerateDataKey API operation. The key policy contains the following statement:
\n
\nAccount 111122223333 is not using AWS Organizations SCPs.
\nWhich combination of steps should a security engineer take to ensure that KMSUser can perform the action on the key? (Choose two.)

A.<\/strong> Modify the key policy to include the key's key ID in the Resource field.
B.<\/strong> Verify that KMSUser has no explicit denies for the GenerateDataKey action in its attached IAM policies.
C.<\/strong> Verify that KMSUser is allowed to perform the GenerateDataKey action in its attached IAM policies for the encryption context.
D.<\/strong> Ensure that KMSUser is including the encryption context key-value pair in its GenerateDataKey.
E.<\/strong> Revoke any KMS grants on the key that are denying the GenerateDataKey action for KMSUser.<\/div>\n

<\/p>\n