An Accounting firm heavily relies on Amazon EBS volumes to provide persistent storage for application data hosted on Amazon EC2 instances. To ensure the safety and confidentiality of the clients' critical data, these volumes are encrypted. The project manager, tasked with overseeing security credentials, has encountered the following policy snippet:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow for use of this Key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/UserRole" }, "Action": [ "kms:GenerateDataKeyWithoutPlaintext", "kms:Decrypt" ], "Resource": "" }, { "Sid": "Allow for EC2 Use", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/UserRole" }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "", "Condition": { "StringEquals": { "kms:ViaService": "ec2.us-west-2.amazonaws.com" } } ] } Based on the provided policy, which of the following statements are accurate?

Exam-Like

The second statement in this policy provides the security group (mentioned in first statement of the policy), the ability to create, list, and revoke grants for Amazon EC2

9.4%

The second statement in the policy mentions that all the resources stated in the first statement can take the specified role which will provide the ability to create, list, and revoke grants for Amazon EC2

21.9%

The first statement provides the security group the ability to generate a data key and decrypt that data key from the CMK when necessary

15.6%

The first statement provides a specified IAM principal the ability to generate a data key and decrypt that data key from the CMK when necessary

53.1%

AWS Certified Developer - Associate

Comments

Get started today