KMS
AWS Key Management Service (AWS KMS) is a managed encryption service that helps organizations securely create and manage encryption keys across AWS services. It provides fine-grained control over how cryptographic keys are used, ensuring secure data protection and compliance.
✅ SecureCart’s Use Case: Processing Encrypted Documents with AWS Lambda
SecureCart operates an e-commerce analytics system that processes encrypted order documents stored in Amazon FSx for NetApp ONTAP. The AWS Lambda function is responsible for decrypting the files, processing them, and storing the results in Amazon S3 Glacier Flexible Retrieval for archival.
🔹 Scenario Breakdown
✔ Encrypted documents stored in FSx for NetApp ONTAP – SecureCart encrypts order records using AWS KMS Customer Managed Key (CMK). ✔ AWS Lambda function processes these documents – The function decrypts, processes, and stores results in S3 Glacier. ✔ Lambda requires KMS decryption permissions – It must have permission to decrypt files protected by KMS keys.
✅ Correct Solution: Option A
Attach the
kms:Decryptpermission to the Lambda function’s execution role and Modify the KMS key policy to grantkms:Decryptpermission to the function’s execution role.
🔑 Why is this the best approach?
✔ Execution roles control Lambda permissions – The IAM execution role must be granted the ability to use the KMS key. ✔ KMS key policy explicitly allows decryption – KMS key policies define who can use the key and for what actions. ✔ Ensures security best practices – Allows least privilege access while keeping key policies manageable.
❌ Why Are Other Options Incorrect?
Option
Reason for Rejection
B: Attach kms:Decrypt permission to Lambda execution role & allow Lambda’s ARN in KMS key policy
❌ IAM roles (not Lambda ARNs) are typically used in KMS key policies to manage access. Granting permissions directly to a function ARN is unnecessary.
C: Attach kms:Decrypt permission to Lambda’s resource policy
❌ Lambda functions do not support resource-based policies for granting KMS access. Permissions must be assigned to the execution role.
D: Attach kms:Decrypt permission to Lambda’s resource policy & allow function’s ARN in KMS key policy
❌ Same issue as C—Lambda does not use resource-based policies for AWS KMS.
🔹 SecureCart’s Implementation Plan
Step 1: Grant IAM Role Access to AWS KMS
SecureCart modifies the IAM execution role assigned to the Lambda function by adding the following policy:
✅ This grants Lambda permission to decrypt documents using SecureCart’s KMS key.
Step 2: Modify the AWS KMS Key Policy
SecureCart updates the AWS KMS key policy to allow decryption for the Lambda execution role:
✅ Now, the KMS key explicitly allows SecureCart’s Lambda function to decrypt files.
🔹 Key AWS Services Used in SecureCart’s Architecture
Service
Purpose
AWS KMS
Manages encryption keys to protect order documents.
Amazon FSx for NetApp ONTAP
Stores encrypted documents securely.
AWS Lambda
Processes the encrypted documents after decrypting them.
Amazon S3 Glacier Flexible Retrieval
Stores processed data securely in long-term archival storage.
IAM Roles & Policies
Controls access to AWS KMS for SecureCart’s Lambda function.
📌 Best Practices for SecureCart
✔ Use Customer Managed Keys (CMK) for fine-grained access control over encryption keys.
✔ Apply least privilege access – Only grant the kms:Decrypt permission to services that require it.
✔ Enable KMS key rotation for added security and compliance.
✔ Monitor KMS usage with AWS CloudTrail to detect unauthorized access attempts.
✔ Use KMS multi-Region keys if SecureCart expands to multiple AWS regions.
🚀 Summary
✅ SecureCart’s AWS Lambda function requires kms:Decrypt permission to process encrypted documents stored in FSx for NetApp ONTAP.
✅ The correct solution is to attach kms:Decrypt to the Lambda execution role and modify the KMS key policy to explicitly grant the execution role access.
✅ This approach follows AWS best practices, ensures secure data processing, and minimizes unnecessary permissions.
Last updated