Which combination of configuration steps should the Security Engineer take to ensure the EC2 Auto Scaling groups have been granted the proper permissions to execute tasks?
Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Create an IAM role in all applicable accounts and configure its access policy to allow the use of the centrally managed CMK for cryptographical operations. Configure EC2 Auto Scaling groups within each applicable account to use the created IAM role to launch EC2 instances.
Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Create an IAM role in all applicable accounts and configure its access policy with permissions to create grants for the centrally managed CMK. Use this IAM role to create a grant for the centrally managed CMK with permissions to perform cryptographical operations and with the EC2 Auto Scaling service-linked role defined as the grantee principal.
Create a customer-managed CMK or an AWS managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Use the CMK administrator to create a CMK grant that includes permissions to perform cryptographical operations that define EC2 Auto Scaling service-linked roles from all other accounts as the grantee principal.
Create a customer-managed CMK or an AWS managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Modify the access policy for the EC2 Auto Scaling roles to perform cryptographical operations against the centrally managed CMK.
Explanations:
While option A suggests using a centrally managed CMK and IAM roles, the IAM role should be able to create grants for cryptographical operations, which isn’t addressed here. EC2 Auto Scaling needs specific permissions via grants, not just key policies.
Option B correctly outlines the need for creating a grant with cryptographical permissions and specifying the EC2 Auto Scaling service-linked role as the grantee principal. This is the correct method for enabling cross-account EC2 Auto Scaling operations with the KMS CMK.
While this option mentions the creation of a CMK grant, it doesn’t specify that the grant must include permissions for cryptographical operations for EC2 Auto Scaling service-linked roles. The EC2 Auto Scaling service-linked role must be specifically defined as the grantee.
Option D is incorrect because simply modifying the access policy for EC2 Auto Scaling roles to perform cryptographical operations does not address the need for creating grants. KMS requires grants to be created for EC2 Auto Scaling service-linked roles to use the CMK.
I calculate that the answer is:
Create a customer-managed CMK in the centralized account. Allow other applicable accounts to use that key for cryptographical operations by applying proper cross-account permissions in the key policy. Create an IAM role in all applicable accounts and configure its access policy with permissions to create grants for the centrally managed CMK. Use this IAM role to create a grant for the centrally managed CMK with permissions to perform cryptographical operations and with the EC2 Auto Scaling service-linked role defined as the grantee principal.