Topic 1 Question 225
A company’s engineering team is developing a new application that creates AWS Key Management Service (AWS KMS) customer managed key grants for users. Immediately after a grant is created, users must be able to use the KMS key to encrypt a 512-byte payload. During load testing, AccessDeniedException errors occur occasionally when a user first attempts to use the key to encrypt.
Which solution should the company’s security specialist recommend to eliminate these AccessDeniedException errors?
Instruct users to implement a retry mechanism every 2 minutes until the call succeeds.
Instruct the engineering team to consume a random grant token from users and to call the CreateGrant operation by passing the grant token to the operation. Instruct users to use that grant token in their call to encrypt.
Instruct the engineering team to create a random name for the grant when calling the CreateGrant operation. Return the name to the users and instruct them to provide the name as the grant token in the call to encrypt.
Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. Instruct users to use that grant token in their call to encrypt.
ユーザの投票
コメント(5)
- 正解だと思う選択肢: D
D. The AWS KMS API follows an eventual consistency model. When you create a grant, the grant might not be effective immediately. To use the permissions in a new grant immediately, use the grant token for the grant. https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html
👍 2m_ch3332025/01/05 - 正解だと思う選択肢: A
A because of propagation delays
👍 1jdx0002024/11/27 - 正解だと思う選択肢: D
Option A acknowledges the propagation delay but relies on a suboptimal workaround (retries) instead of using the solution designed for this exact issue (grant tokens). Therefore, D is the correct answer as it resolves the problem efficiently and aligns with AWS best practices.
👍 1HappyG2024/11/30
シャッフルモード