What should a SysOps administrator do to configure this integration?
Create a new KMS key. Add the vendor’s IAM role ARN to the KMS key policy. Provide the new KMS key ARN to the vendor.
Create a new KMS key. Create a new IAM key. Add the vendor’s IAM role ARN to an inline policy that is attached to the IAM user. Provide the new IAM user ARN to the vendor.
Configure encryption using the KMS managed S3 key. Add the vendor’s IAM role ARN to the KMS key policy. Provide the KMS managed S3 key ARN to the vendor.
Configure encryption using the KMS managed S3 key. Create an S3 bucket. Add the vendor’s IAM role ARN to the S3 bucket policy. Provide the S3 bucket ARN to the vendor.
Explanations:
The company should create a new KMS key and add the vendor’s IAM role ARN to the KMS key policy to allow the vendor to use the key for encryption. The vendor will use this key to encrypt data in their S3 bucket.
Creating a new IAM user and attaching policies directly to that user is unnecessary. The integration requires managing access at the KMS key level, not through a separate IAM user.
The KMS managed S3 key is automatically created and managed by AWS for S3 encryption and cannot be customized to grant permissions specifically for the vendor’s IAM role in the way described.
The KMS managed S3 key is used by default for S3 encryption, and a KMS key policy should be used to grant access to the vendor’s IAM role, not an S3 bucket policy. The bucket policy is not sufficient for managing KMS key access.