Get All the Questions Covering Entire Syllabus from here  : 2019 : This material is owned by . Please dont copy its bad Karma

Question-4: You are a security specialist for your organization called . has huge customer database, these all customers are online users with the paid subscription data. Before storing this data in AWS Redshift cluster, you want that these data needs to be encrypted by your own customer-managed master keys. You want to change the permissions on this customer managed master keys who can access it and who cannot and this changes should be effective immediately, what you can do?

  1. You will be using Key-policy.
  2. You will be using grants on the master key.
  3. With the grant you will be using grant token, which is return by CreateGrant request, and you will pass this grant token to AWS KMS API call.
  4. Master keys are not secret, so that assigning and giving permissions on master keys are not logical.

Ans: A, C

Detailed Explanation: Yes, you can control who can access your customer managed master keys. There are two ways by which you can control

  1. Key Policy: In the key policy document you can add, modify or remove permissions who can access this master keys.
  2. Grants: Grants are the ways to control and check who can access the keys. They are alternate to key-policy. You can use grants to give long-term access which allows AWS principal to use your customer managed CMKs.

However, grants are not effective immediately that is what it is required for the question. Grants are eventually consistent. Grant to be effective immediately you will be using grant token and this token you can pass as part of AWS KMS API call, so that grants can become effective immediately.

All AWS Certification Products, Training, Books and PDF you must use are below

 AWS Developer Certification : Associate Level     AWS Sysops Administrator Certification : Assciate Level      AWS Solution Architect Certification : Associate Level     AWS Soltion Architect : Professional Level    AWS Certified Security Specialty (SCS-C01)     AWS Professional certification Exam        AWS Package Deal      Book : AWS Solution Architect Associate : Little Guide     AWS Security Specialization Certification: Little Guide SCS-C01     AWS Solution Architect : Training Associate