# KMS

AWS Key Management Service (**AWS KMS**) is a **managed encryption service** that helps organizations securely create and manage encryption keys across AWS services. It provides **fine-grained control** over how cryptographic keys are used, ensuring **secure data protection and compliance**.

#### **✅ SecureCart’s Use Case: Processing Encrypted Documents with AWS Lambda**

SecureCart operates an **e-commerce analytics system** that processes **encrypted order documents** stored in **Amazon FSx for NetApp ONTAP**. The **AWS Lambda function** is responsible for decrypting the files, processing them, and storing the results in **Amazon S3 Glacier Flexible Retrieval** for archival.

***

### **🔹 Scenario Breakdown**

✔ **Encrypted documents stored in FSx for NetApp ONTAP** – SecureCart encrypts order records using **AWS KMS Customer Managed Key (CMK)**.\
✔ **AWS Lambda function processes these documents** – The function decrypts, processes, and stores results in S3 Glacier.\
✔ **Lambda requires KMS decryption permissions** – It must have permission to decrypt files protected by KMS keys.

***

### **✅ Correct Solution: Option A**

> **Attach the `kms:Decrypt` permission to the Lambda function’s execution role** and\
> **Modify the KMS key policy to grant `kms:Decrypt` permission to the function’s execution role.**

#### **🔑 Why is this the best approach?**

✔ **Execution roles control Lambda permissions** – The IAM **execution role** must be granted the ability to use the **KMS key**.\
✔ **KMS key policy explicitly allows decryption** – KMS key policies define **who can use the key** and for what actions.\
✔ **Ensures security best practices** – Allows **least privilege access** while keeping key policies manageable.

***

### **❌ Why Are Other Options Incorrect?**

| **Option**                                                                                                  | **Reason for Rejection**                                                                                                                                   |
| ----------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **B: Attach `kms:Decrypt` permission to Lambda execution role & allow Lambda’s ARN in KMS key policy**      | ❌ **IAM roles (not Lambda ARNs) are typically used** in KMS key policies to manage access. Granting permissions directly to a function ARN is unnecessary. |
| **C: Attach `kms:Decrypt` permission to Lambda’s resource policy**                                          | ❌ **Lambda functions do not support resource-based policies** for granting KMS access. Permissions must be assigned to the **execution role**.             |
| **D: Attach `kms:Decrypt` permission to Lambda’s resource policy & allow function’s ARN in KMS key policy** | ❌ Same issue as **C**—Lambda **does not** use resource-based policies for AWS KMS.                                                                         |

***

### **🔹 SecureCart’s Implementation Plan**

#### **Step 1: Grant IAM Role Access to AWS KMS**

SecureCart **modifies the IAM execution role** assigned to the Lambda function by adding the following policy:

```json
jsonCopyEdit{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "kms:Decrypt",
      "Resource": "arn:aws:kms:us-east-1:123456789012:key/your-kms-key-id"
    }
  ]
}
```

✅ **This grants Lambda permission to decrypt documents using SecureCart’s KMS key.**

***

#### **Step 2: Modify the AWS KMS Key Policy**

SecureCart **updates the AWS KMS key policy** to allow decryption for the Lambda execution role:

```json
jsonCopyEdit{
  "Version": "2012-10-17",
  "Id": "key-use-policy",
  "Statement": [
    {
      "Sid": "AllowLambdaDecryption",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/SecureCart-LambdaExecutionRole"
      },
      "Action": "kms:Decrypt",
      "Resource": "*"
    }
  ]
}
```

✅ **Now, the KMS key explicitly allows SecureCart’s Lambda function to decrypt files.**

***

### **🔹 Key AWS Services Used in SecureCart’s Architecture**

| **Service**                              | **Purpose**                                                   |
| ---------------------------------------- | ------------------------------------------------------------- |
| **AWS KMS**                              | Manages encryption keys to protect order documents.           |
| **Amazon FSx for NetApp ONTAP**          | Stores encrypted documents securely.                          |
| **AWS Lambda**                           | Processes the encrypted documents after decrypting them.      |
| **Amazon S3 Glacier Flexible Retrieval** | Stores processed data securely in long-term archival storage. |
| **IAM Roles & Policies**                 | Controls access to AWS KMS for SecureCart’s Lambda function.  |

***

### **📌 Best Practices for SecureCart**

✔ **Use Customer Managed Keys (CMK) for fine-grained access control** over encryption keys.\
✔ **Apply least privilege access** – Only grant the `kms:Decrypt` permission to services that require it.\
✔ **Enable KMS key rotation** for added security and compliance.\
✔ **Monitor KMS usage** with **AWS CloudTrail** to detect unauthorized access attempts.\
✔ **Use KMS multi-Region keys** if SecureCart expands to multiple AWS regions.

***

### **🚀 Summary**

✅ SecureCart’s **AWS Lambda function requires `kms:Decrypt` permission** to process encrypted documents stored in FSx for NetApp ONTAP.\
✅ The **correct solution** is to attach `kms:Decrypt` to the **Lambda execution role** and modify the **KMS key policy** to explicitly grant the execution role access.\
✅ This approach **follows AWS best practices**, **ensures secure data processing**, and **minimizes unnecessary permissions**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://awsinpractice.itassist.com/study-group/aws-certified-solutions-architect-associate/domain-1-design-secure-architectures/task-statement-1.3-determine-appropriate-data-security-controls/kms.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.