Question-4: You are a security specialist for your organization called QuickTechie.com . QuickTechie.com has huge customer database, these all customers are online users with the paid subscription data. Before storing this data in AWS Redshift cluster, you want that these data needs to be encrypted by your own customer-managed master keys. You want to change the permissions on this customer managed master keys who can access it and who cannot and this changes should be effective immediately, what you can do?
- You will be using Key-policy.
- You will be using grants on the master key.
- With the grant you will be using grant token, which is return by CreateGrant request, and you will pass this grant token to AWS KMS API call.
- Master keys are not secret, so that assigning and giving permissions on master keys are not logical.
Ans: A, C
Detailed Explanation: Yes, you can control who can access your customer managed master keys. There are two ways by which you can control
- Key Policy: In the key policy document you can add, modify or remove permissions who can access this master keys.
- Grants: Grants are the ways to control and check who can access the keys. They are alternate to key-policy. You can use grants to give long-term access which allows AWS principal to use your customer managed CMKs.
However, grants are not effective immediately that is what it is required for the question. Grants are eventually consistent. Grant to be effective immediately you will be using grant token and this token you can pass as part of AWS KMS API call, so that grants can become effective immediately.