This certification preparation material would help you in getting the jobs in the AWS Fields

AWS Developer Certification : Associate Level AWS Sysops Administrator Certification : Assciate Level AWS Solution Architect Certification : Associate Level AWS Soltion Architect : Professional Level AWS Certified Security Specialty (SCS-C01) AWS Professional certification Exam AWS Certified Big Data – Specialty (BDS-C00) AWS Certified Machine Learning MLS C01 Certification Prepration Materal AWS Solution Architect : Training Associate AWS Advanced Networking Certifications AWS Exam Prepare : Kinesis Data Stream Book : AWS Solution Architect Associate : Little Guide AWS Security Specialization Certification: Little Guide SCS-C01 AWS Package Deal

While applying to the Job you need to mention referred by : | or Website :


Question-4: You are a security specialist for your organization called . has huge customer database, these all customers are online users with the paid subscription data. Before storing this data in AWS Redshift cluster, you want that these data needs to be encrypted by your own customer-managed master keys. You want to change the permissions on this customer managed master keys who can access it and who cannot and this changes should be effective immediately, what you can do?

  1. You will be using Key-policy.
  2. You will be using grants on the master key.
  3. With the grant you will be using grant token, which is return by CreateGrant request, and you will pass this grant token to AWS KMS API call.
  4. Master keys are not secret, so that assigning and giving permissions on master keys are not logical.

Ans: A, C

Detailed Explanation: Yes, you can control who can access your customer managed master keys. There are two ways by which you can control

  1. Key Policy: In the key policy document you can add, modify or remove permissions who can access this master keys.
  2. Grants: Grants are the ways to control and check who can access the keys. They are alternate to key-policy. You can use grants to give long-term access which allows AWS principal to use your customer managed CMKs.

However, grants are not effective immediately that is what it is required for the question. Grants are eventually consistent. Grant to be effective immediately you will be using grant token and this token you can pass as part of AWS KMS API call, so that grants can become effective immediately.