# KMS AWS Key Management Service (**AWS KMS**) is a **managed encryption service** that helps organizations securely create and manage encryption keys across AWS services. It provides **fine-grained control** over how cryptographic keys are used, ensuring **secure data protection and compliance**. #### **✅ SecureCart’s Use Case: Processing Encrypted Documents with AWS Lambda** SecureCart operates an **e-commerce analytics system** that processes **encrypted order documents** stored in **Amazon FSx for NetApp ONTAP**. The **AWS Lambda function** is responsible for decrypting the files, processing them, and storing the results in **Amazon S3 Glacier Flexible Retrieval** for archival. *** ### **🔹 Scenario Breakdown** ✔ **Encrypted documents stored in FSx for NetApp ONTAP** – SecureCart encrypts order records using **AWS KMS Customer Managed Key (CMK)**.\ ✔ **AWS Lambda function processes these documents** – The function decrypts, processes, and stores results in S3 Glacier.\ ✔ **Lambda requires KMS decryption permissions** – It must have permission to decrypt files protected by KMS keys. *** ### **✅ Correct Solution: Option A** > **Attach the `kms:Decrypt` permission to the Lambda function’s execution role** and\ > **Modify the KMS key policy to grant `kms:Decrypt` permission to the function’s execution role.** #### **🔑 Why is this the best approach?** ✔ **Execution roles control Lambda permissions** – The IAM **execution role** must be granted the ability to use the **KMS key**.\ ✔ **KMS key policy explicitly allows decryption** – KMS key policies define **who can use the key** and for what actions.\ ✔ **Ensures security best practices** – Allows **least privilege access** while keeping key policies manageable. *** ### **❌ Why Are Other Options Incorrect?** | **Option** | **Reason for Rejection** | | ----------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | | **B: Attach `kms:Decrypt` permission to Lambda execution role & allow Lambda’s ARN in KMS key policy** | ❌ **IAM roles (not Lambda ARNs) are typically used** in KMS key policies to manage access. Granting permissions directly to a function ARN is unnecessary. | | **C: Attach `kms:Decrypt` permission to Lambda’s resource policy** | ❌ **Lambda functions do not support resource-based policies** for granting KMS access. Permissions must be assigned to the **execution role**. | | **D: Attach `kms:Decrypt` permission to Lambda’s resource policy & allow function’s ARN in KMS key policy** | ❌ Same issue as **C**—Lambda **does not** use resource-based policies for AWS KMS. | *** ### **🔹 SecureCart’s Implementation Plan** #### **Step 1: Grant IAM Role Access to AWS KMS** SecureCart **modifies the IAM execution role** assigned to the Lambda function by adding the following policy: ```json jsonCopyEdit{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-east-1:123456789012:key/your-kms-key-id" } ] } ``` ✅ **This grants Lambda permission to decrypt documents using SecureCart’s KMS key.** *** #### **Step 2: Modify the AWS KMS Key Policy** SecureCart **updates the AWS KMS key policy** to allow decryption for the Lambda execution role: ```json jsonCopyEdit{ "Version": "2012-10-17", "Id": "key-use-policy", "Statement": [ { "Sid": "AllowLambdaDecryption", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/SecureCart-LambdaExecutionRole" }, "Action": "kms:Decrypt", "Resource": "*" } ] } ``` ✅ **Now, the KMS key explicitly allows SecureCart’s Lambda function to decrypt files.** *** ### **🔹 Key AWS Services Used in SecureCart’s Architecture** | **Service** | **Purpose** | | ---------------------------------------- | ------------------------------------------------------------- | | **AWS KMS** | Manages encryption keys to protect order documents. | | **Amazon FSx for NetApp ONTAP** | Stores encrypted documents securely. | | **AWS Lambda** | Processes the encrypted documents after decrypting them. | | **Amazon S3 Glacier Flexible Retrieval** | Stores processed data securely in long-term archival storage. | | **IAM Roles & Policies** | Controls access to AWS KMS for SecureCart’s Lambda function. | *** ### **📌 Best Practices for SecureCart** ✔ **Use Customer Managed Keys (CMK) for fine-grained access control** over encryption keys.\ ✔ **Apply least privilege access** – Only grant the `kms:Decrypt` permission to services that require it.\ ✔ **Enable KMS key rotation** for added security and compliance.\ ✔ **Monitor KMS usage** with **AWS CloudTrail** to detect unauthorized access attempts.\ ✔ **Use KMS multi-Region keys** if SecureCart expands to multiple AWS regions. *** ### **🚀 Summary** ✅ SecureCart’s **AWS Lambda function requires `kms:Decrypt` permission** to process encrypted documents stored in FSx for NetApp ONTAP.\ ✅ The **correct solution** is to attach `kms:Decrypt` to the **Lambda execution role** and modify the **KMS key policy** to explicitly grant the execution role access.\ ✅ This approach **follows AWS best practices**, **ensures secure data processing**, and **minimizes unnecessary permissions**.