Topic 1 Question 96
A solutions architect needs to implement a client-side encryption mechanism for objects that will be stored in a new Amazon S3 bucket. The solutions architect created a CMK that is stored in AWS Key Management Service (AWS KMS) for this purpose.
The solutions architect created the following IAM policy and attached it to an IAM role:
During tests, the solutions architect was able to successfully get existing test objects in the S3 bucket. However, attempts to upload a new object resulted in an error message. The error message stated that the action was forbidden.
Which action must the solutions architect add to the IAM policy to meet all the requirements?
kms:GenerateDataKey
kms:GetKeyPolicy
kms:GetPublicKey
kms:Sign
ユーザの投票
コメント(5)
- 正解だと思う選択肢: A
A. kms:GenerateDataKey
The solutions architect needs to add the "kms:GenerateDataKey" action to the IAM policy in order to generate a data key for client-side encryption. Without this action, the IAM role does not have the necessary permissions to generate a data key, which causes the error message when attempting to upload a new object.
👍 5masetromain2023/01/15 I don't understand since it's client side encryption, it means both encryption and key and tools are maintained in client side before submitting to aws s3, why we need add kms:GenerateDatakey ? We don't need kms to do anything since it's client-side encryption all is done outside of aws.
👍 3Jesuisleon2023/05/16- 正解だと思う選択肢: A👍 2Untamables2023/01/28
シャッフルモード