How should the developer set the principal in the KMS key policy to meet these requirements?

A developer is writing an IAM policy document that grants administrator access to AWS Key Management Service (AWS KMS) for a federated user.The federated IAM role name is FederatedIAMRole.The user name is KeyAdmin.

How should the developer set the principal in the KMS key policy to meet these requirements?

“Principal”: { “AWS”: “arn:aws:sts::123456789012:role/FederatedIAMRole/KeyAdmin” }

“Principal”: { “AWS”: “arn:aws:sts::123456789012:user/FederatedIAMRole/KeyAdmin” }

“Principal”: { “AWS”: “arn:aws:sts::123456789012:user/KeyAdmin” }

“Principal”: { “AWS”: “arn:aws:sts::123456789012:assumed-role/FederatedIAMRole/KeyAdmin” }

Explanations:

The ARN format is incorrect. A federated user is assumed under a role, not directly referenced.

The ARN format is incorrect. It references a user, but the user isn’t directly involved in the policy.

The ARN refers to a user, but it’s for a federated user under a role, not directly for the user.

This is the correct ARN format for a federated user assumed under the FederatedIAMRole.

Learn & move to cloud

How should the developer set the principal in the KMS key policy to meet these requirements?

Explanations:

Leave a Reply Cancel reply