Which action would provide the required functionality?

By:
In: SCS-C01
Tagged:
With: 2 Comments
A Security Engineer is looking for a way to control access to data that is being encrypted under a CMK.The Engineer is also looking to use additional authenticated data (AAD) to prevent tampering with ciphertext.

Which action would provide the required functionality?

Pass the key alias to AWS KMS when calling Encrypt and Decrypt API actions.

Use IAM policies to restrict access to Encrypt and Decrypt API actions.

Use kms:EncryptionContext as a condition when defining IAM policies for the CMK.

Use key policies to restrict access to the appropriate IAM groups.

Explanations:

Passing the key alias to AWS KMS does not control access to data or prevent tampering. The alias is used to reference a key but does not address controlling access to the ciphertext or utilizing AAD.

IAM policies can control access to KMS actions, but they do not directly address the use of additional authenticated data (AAD) or prevent tampering with ciphertext.

Usingkms:EncryptionContextin IAM policies allows control over the context in which a CMK is used. It ensures that only operations with the specified context are allowed, effectively using AAD to protect the ciphertext from tampering.

Key policies restrict access to the CMK but do not utilize AAD to protect ciphertext. While key policies are important for access control, they do not directly address preventing tampering with the ciphertext.

2026-03-22

2 Comments

  1. Abigail
    Author

    In my opinion, the answer is:
    Use kms:EncryptionContext as a condition when defining IAM policies for the CMK.

  2. Justin
    Author

    I deduce that the answer is:
    Use kms:EncryptionContext as a condition when defining IAM policies for the CMK.

Leave a Reply

Your email address will not be published. Required fields are marked *

13 − six =