What must be configured for an EC2 instance profile to access a KMS key?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the GIAC Cloud Security Automation Exam. This quiz helps you study with flashcards and multiple choice questions, complete with hints and explanations. Ensure your success on the test by practicing now!

Multiple Choice

What must be configured for an EC2 instance profile to access a KMS key?

Explanation:
To enable an EC2 instance profile to access a KMS key, the key must have the appropriate key policy configured to allow decrypt access. This pertains specifically to granting permission for the IAM role associated with the EC2 instance to use the KMS key for decryption operations. KMS (Key Management Service) operates based on explicitly defined permissions, so if an instance profile, which is linked to a specific IAM role, requires access to a KMS key for performing actions such as decrypting data, the permissions must be granted directly in the key policy. Other options like security groups and network ACLs pertain more to controlling traffic and access at the network level and do not influence the permission management for cryptographic operations provided by KMS. A specific IAM role is necessary but merely having a role is not sufficient without the specific permission to decrypt on the KMS key, and a network ACL serves a different purpose entirely.

To enable an EC2 instance profile to access a KMS key, the key must have the appropriate key policy configured to allow decrypt access. This pertains specifically to granting permission for the IAM role associated with the EC2 instance to use the KMS key for decryption operations.

KMS (Key Management Service) operates based on explicitly defined permissions, so if an instance profile, which is linked to a specific IAM role, requires access to a KMS key for performing actions such as decrypting data, the permissions must be granted directly in the key policy.

Other options like security groups and network ACLs pertain more to controlling traffic and access at the network level and do not influence the permission management for cryptographic operations provided by KMS. A specific IAM role is necessary but merely having a role is not sufficient without the specific permission to decrypt on the KMS key, and a network ACL serves a different purpose entirely.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy