What should the company do next to meet these requirements?

By:
In: SCS-C01
Tagged:
With: 2 Comments
A company uses AWS Organizations to manage several AWs accounts.The company processes a large volume of sensitive data.The company uses a serverless approach to microservices.The company stores all the data in either Amazon S3 or Amazon DynamoDB.The company reads the data by using either AWS Lambda functions or container-based services that the company hosts on Amazon Elastic Kubernetes Service (Amazon EKS) on AWS Fargate.The company must implement a solution to encrypt all the data at rest and enforce least privilege data access controls.The company creates an AWS Key Management Service (AWS KMS) customer managed key.

What should the company do next to meet these requirements?

Create a key policy that allows the kms:Decrypt action only for Amazon S3 and DynamoDB. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.

Create an IAM policy that denies the kms:Decrypt action for the key. Create a Lambda function than runs on a schedule to attach the policy to any new roles. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.

Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an SCP that denies the creation of S3 buckets and DynamoDB tables that are not encrypted with the key.

Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.

Explanations:

The key policy approach in this option is too broad and doesn’t enforce least privilege effectively. It restricts thekms:Decryptaction only to S3 and DynamoDB but doesn’t include Lambda and EKS, which are also integral to the system. SCPs are useful for account-level controls but won’t enforce encryption for existing resources.

This option relies on a Lambda function to attach a policy to new roles, which is an ineffective and error-prone approach. AWS Config rules help with monitoring but cannot actively enforce encryption. The policy also doesn’t ensure least privilege access to services like Lambda and EKS.

Although the key policy allows decryption for the relevant services, the SCPs only restrict creation of unencrypted S3 and DynamoDB resources, not enforcing least privilege across all services (e.g., Lambda and EKS). It also doesn’t use a monitoring solution like AWS Config.

This option effectively ensures that the key policy grantskms:Decryptaccess only to the relevant services (S3, DynamoDB, Lambda, and EKS), and uses an AWS Config rule to monitor resources for encryption compliance. This approach satisfies both encryption and least privilege access control requirements.

2026-04-06

2 Comments

  1. Sandra
    Author

    As far as I can tell, the answer is:
    Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.

  2. Sara
    Author

    From what I’ve seen, the answer is:
    Create a key policy that allows the kms:Decrypt action only for Amazon S3, DynamoDB, Lambda, and Amazon EKS. Create an AWS Config rule to send alerts for resources that are not encrypted with the key.

Leave a Reply to Sara Cancel reply

Your email address will not be published. Required fields are marked *

6 − 3 =