Which combination of steps should the security engineer take to meet these requirements?

By:
In: SCS-C01
Tagged:
With: 2 Comments
A developer has created an AWS Lambda function in a company’s development account.The Lambda function requires the use of an AWS Key Management Service (AWS KMS) customer managed key that exists in a security account that the company’s security team controls.The developer obtains the ARN of the KMS key from a previous Lambda function in the development account.The previous Lambda function had been working properly with the KMS key.When the developer uses the ARN and tests the new Lambda function, an error message states that access is denied to the KMS key in the security account.The developer tests the previous Lambda function that uses the same KMS key and discovers that the previous Lambda function still can encrypt data as expected.A security engineer must resolve the problem so that the new Lambda function in the development account can use the KMS key from the security account.

Which combination of steps should the security engineer take to meet these requirements?

(Choose two.)

In the security account, configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

In the development account, configure an IAM role for the new Lambda function. Attach a key policy that allows access to the KMS key in the security account.

In the development account, configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the security account.

Configure a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the development account.

Explanations:

The IAM role for the new Lambda function needs to be in the development account, not the security account. This option incorrectly suggests creating the role in the security account, which would not be able to directly grant access to the KMS key.

An IAM role in the development account cannot have a key policy attached to it. Key policies are associated with the KMS key itself, not with IAM roles. This option does not provide a valid solution.

Configuring an IAM role in the development account and attaching an IAM policy that allows access to the KMS key in the security account is necessary. The role needs appropriate permissions to access the KMS key, which can be granted via an IAM policy.

This option suggests modifying the key policy for the KMS key in the security account but does not specify that it should grant access to the IAM role in the development account. The role itself must be in the development account, and this approach lacks clarity on that aspect.

Configuring a key policy for the KMS key in the security account to allow access to the IAM role of the new Lambda function in the development account is essential. This directly grants the necessary permissions for the Lambda function to use the KMS key.

2026-04-04

2 Comments

  1. Adam
    Author

    From my point of view, the answer is:
    In the development account, configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

  2. Virginia
    Author

    I classify that the answer is:
    In the development account, configure an IAM role for the new Lambda function. Attach an IAM policy that allows access to the KMS key in the security account.

Leave a Reply

Your email address will not be published. Required fields are marked *

fifteen + 13 =