copy its bad Karma

Question-8: You have department wise grouped IAM identities and each department is using different CMKs to do cryptographic operations. As of now there are no proper access controls are in place. You wanted to setup control access on CMKs such that if one user have permission on one CMK then he should be able to delegate the permissions to another user. In this case which of the below is suitable.

1. It require only Key policy setup
2. It require only IAM policy setup
3. It require IAM policy and grants in place.
4. It require Key policy and grants

Ans: D

Detailed Explanation: Controlling Access to AWS KMS CMKs: You will be using following ways to control access to a CMK.

1. Using Key Policy: You can use single Key Policy document to define the access control.
2. IAM Policy + Key Policy: In this way you can manage all of the permissions for your IAM identities.
3. Grant + Key Policy: You can use grant and Key policy to allow access to CMK. In Key policy you control the access to the CMK and also allow users to delegate their access to others.

To allow access to KMS CMK, you must use Key Policy (Remember: That is a mandate). You can use any of the above combination to control the access to CMK. IAM policy alone are not enough to control the access for CMKs. For most of the other services IAM policies are enough but this is not the case with KMS.