Which combination of configuration steps should the Security Engineer take to ensure the EC2 Auto Scaling groups have been granted the proper permissions to execute tasks?

By:
On:
In: SCS-C01
Tagged:
With: 0 Comments
A company plans to use custom AMIs to launch Amazon EC2 instances across multiple AWS accounts in a single Region to perform security monitoring and analytics tasks.The EC2 instances are launched in EC2 Auto Scaling groups.To increase the security of the solution, a Security Engineer will manage the lifecycle of the custom AMIs in a centralized account and will encrypt them with a centrally managed AWS KMS CMK.The Security Engineer configured the KMS key policy to allow cross-account access.However, the EC2 instances are still not being properly launched by the EC2 Auto Scaling groups.

Which combination of configuration steps should the Security Engineer take to ensure the EC2 Auto Scaling groups have been granted the proper permissions to execute tasks?

Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Create an IAM role in all applicable accounts and configure its access policy to allow the use of the centrally managed CMK for cryptographical operations. Configure EC2 Auto Scaling groups within each applicable account to use the created IAM role to launch EC2 instances.

Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Create an IAM role in all applicable accounts and configure its access policy with permissions to create grants for the centrally managed CMK. Use this IAM role to create a grant for the centrally managed CMK with permissions to perform cryptographical operations and with the EC2 Auto Scaling service-linked role defined as the grantee principal.

Create a customer-managed CMK or an AWS managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Use the CMK administrator to create a CMK grant that includes permissions to perform cryptographical operations that define EC2 Auto Scaling service-linked roles from all other accounts as the grantee principal.

Create a customer-managed CMK or an AWS managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Modify the access policy for the EC2 Auto Scaling roles to perform cryptographical operations against the centrally managed CMK.

Explanations:

While option A suggests using a centrally managed CMK and IAM roles, the IAM role should be able to create grants for cryptographical operations, which isn’t addressed here. EC2 Auto Scaling needs specific permissions via grants, not just key policies.

Option B correctly outlines the need for creating a grant with cryptographical permissions and specifying the EC2 Auto Scaling service-linked role as the grantee principal. This is the correct method for enabling cross-account EC2 Auto Scaling operations with the KMS CMK.

While this option mentions the creation of a CMK grant, it doesn’t specify that the grant must include permissions for cryptographical operations for EC2 Auto Scaling service-linked roles. The EC2 Auto Scaling service-linked role must be specifically defined as the grantee.

Option D is incorrect because simply modifying the access policy for EC2 Auto Scaling roles to perform cryptographical operations does not address the need for creating grants. KMS requires grants to be created for EC2 Auto Scaling service-linked roles to use the CMK.

Leave a Reply

Your email address will not be published. Required fields are marked *

seventeen + four =