Bird
0
0

You want to allow an EC2 instance to use a KMS key for encryption without sharing the key material. What is the best way to achieve this?

hard📝 Application Q8 of 15
AWS - Advanced Security
You want to allow an EC2 instance to use a KMS key for encryption without sharing the key material. What is the best way to achieve this?
AAttach an IAM role to the EC2 instance with kms:Encrypt permission on the key
BEmbed the KMS key material in the EC2 instance user data
CStore the KMS key in the EC2 instance environment variables
DManually copy the key material to the EC2 instance
Step-by-Step Solution
Solution:

  1. Step 1: Understand secure key usage

    KMS keys are managed by AWS; key material should never be shared or copied.

  2. Step 2: Use IAM roles for permissions

    Assigning an IAM role with kms:Encrypt permission allows EC2 to use the key securely.

  3. Final Answer:

    Attach an IAM role to the EC2 instance with kms:Encrypt permission on the key -> Option A

  4. Quick Check:

    Use IAM roles, not key material sharing [OK]
Quick Trick: Use IAM roles to grant KMS permissions securely [OK]
Common Mistakes:
  • Sharing key material manually
  • Storing keys in environment variables

Want More Practice?

15+ quiz questions · All difficulty levels · Free

Free Signup - Practice All Questions
More AWS Quizzes
Advanced Security - AWS WAF for web application firewall - Quiz 15hard Architecture Best Practices - Operational excellence pillar - Quiz 7medium Architecture Best Practices - Reliability pillar principles - Quiz 2easy Architecture Best Practices - Performance efficiency pillar - Quiz 3easy CloudFormation - Resources section - Quiz 9hard Cost Optimization - Reserved Instances and Savings Plans - Quiz 8hard Cost Optimization - Budgets and cost anomaly detection - Quiz 12easy EKS - EKS networking with VPC CNI - Quiz 5medium EKS - EKS networking with VPC CNI - Quiz 9hard Serverless Architecture - Lambda with DynamoDB Streams - Quiz 11easy