Access Control and Auditing

5 minutes 5 Questions

Access control and auditing in AWS KMS enable users to monitor and manage the usage of their cryptographic keys. Access control is implemented using AWS Identity and Access Management (IAM) policies, which allow fine-grained control over who can access, create, or use KMS resources. Auditing is pro…

Access Control and Auditing in AWS KMS - Guide and Exam Tips

AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the cryptographic keys used to encrypt your data. Access Control and Auditing are crucial elements of this service.

Importance: The Access Control and Auditing feature in AWS KMS is vital as it enables the suitable administration of permissions to the keys and traces the usage of these keys, ensuring the prevention of unauthorized access and providing compliance oversight.

Access Control: It's a process that ensures only authorized personnel can access the keys. AWS KMS enables this using IAM policies, key policies, and grants. IAM policies specify who can manage the CMK and what actions they can perform; Key Policies signify who can use the key; grants are alternate ways to give permissions.

Auditing: It involves tracking the usage of keys. AWS KMS provides this via AWS CloudTrail, which records AWS KMS events in log files.

Exam Tips: When approaching questions on Access Control and Auditing, pay attention to the specific permissions given and whether CloudTrail is enabled. Also, remember that IAM policies, Key Policies, and grants are essential components of access control in AWS KMS, while AWS CloudTrail plays a crucial role in auditing.

Don't overlook details concerning who can use and manage the keys - these are usually vital in exam questions. Understanding the interplay of IAM policies, key policies, and grants will go a long way in correctly answering such questions.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

AWS Certified Solutions Architect - Access Control and Auditing Example Questions

Test your knowledge of Access Control and Auditing

Question 1

A company has multiple AWS accounts, and they need to set up auditing for API requests across all accounts. How can the company achieve this?

Enable Elastic Load Balancer (ELB) Access Logs on all accounts and forward logs to a central Amazon Kinesis Data Stream. Enable AWS CloudTrail across all accounts and aggregate logs to a central S3 bucket. Enable VPC Flow Logs for all accounts and send the logs to a central Amazon Elasticsearch Service domain. Store application logs from each account to a central Amazon Glue Data Catalog.

Correct Answer: Enable AWS CloudTrail across all accounts and aggregate logs to a central S3 bucket.

AWS CloudTrail enables the auditing of API requests across all accounts. By enabling CloudTrail and aggregating logs to a central S3 bucket, the company can set up proper auditing and monitoring. The other options focus on different logging and monitoring utilities but do not provide the API request auditing required by the scenario.

Question 2

An organization needs to grant access to its Amazon RDS database only to specific team members. How can this goal be achieved?

Create IAM users for the team members and follow the Amazon RDS security best practices. Enable AWS CloudTrail for the Amazon RDS instance and monitor user access. Configure an RDS proxy and allow access only to the proxy. Create VPC endpoints for the Amazon RDS database and allow access only to selected IP addresses.

Correct Answer: Create IAM users for the team members and follow the Amazon RDS security best practices.

Creating IAM users for the team members and following Amazon RDS security best practices ensures proper access control for the RDS database. Other options do not fulfill the requirement of granting access to specific team members or do not exist in the AWS ecosystem.

Question 3

An AWS Lambda function parses Amazon S3 server access logs stored in a specific bucket and programmatically updates an existing Amazon QuickSight dataset (backed by an existing QuickSight data source) and triggers a SPICE refresh so dashboards stay up to date. Following the principle of least privilege, which IAM permissions must be granted to the Lambda function’s execution role?

Amazon S3ObjectTagging permission and Amazon QuickSight Deployment permission. Amazon S3 ListBucket permission and QuickSight Administrator permission. Full access to the S3 bucket and Amazon S3 Block Public Access enabled. Least-privilege IAM permissions for the Lambda execution role: 1) Amazon S3: s3:ListBucket on the logs bucket and s3:GetObject on the logs bucket objects. 2) Amazon QuickSight: quicksight:UpdateDataSet and quicksight:DescribeDataSet on the target dataset, quicksight:CreateIngestion on that dataset to refresh SPICE, and quicksight:PassDataSource on the existing data source used by the dataset.

Correct Answer: Least-privilege IAM permissions for the Lambda execution role: 1) Amazon S3: s3:ListBucket on the logs bucket and s3:GetObject on the logs bucket objects. 2) Amazon QuickSight: quicksight:UpdateDataSet and quicksight:DescribeDataSet on the target dataset, quicksight:CreateIngestion on that dataset to refresh SPICE, and quicksight:PassDataSource on the existing data source used by the dataset.

The Lambda function must read S3 access logs, which requires s3:GetObject on the log objects and typically s3:ListBucket to enumerate new log files. To update what QuickSight uses for analysis without over-privileging, the function needs dataset-level permissions: quicksight:UpdateDataSet and quicksight:DescribeDataSet to modify/inspect the dataset, and quicksight:CreateIngestion to trigger a SPICE refresh so visuals and dashboards update. If the dataset references an existing QuickSight data source, the function also needs quicksight:PassDataSource to authorize using that data source in the dataset operations. Broad permissions such as full S3 access or QuickSight administrator are unnecessary and violate least privilege.

🎓 Unlock Premium Access

AWS Certified Solutions Architect - Associate + ALL Certifications

🎓 Access to ALL Certifications: Study for any certification on our platform with one subscription
5645 Superior-grade AWS Certified Solutions Architect - Associate practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
AWS Certified Solutions Architect: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

Start Your Free 7-Day Trial

More Access Control and Auditing questions

15 questions (total)

Start 15 question test