Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon SCS-C02 Exam - Topic 3 Question 53 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 53
Topic #: 3
[All SCS-C02 Questions]

[Identity and Access Management]

A company's engineering team is developing a new application that creates IAM Key Management Service (IAM KMS) CMK grants for users immediately after a grant IS created users must be able to use the CMK tu encrypt a 512-byte payload. During load testing, a bug appears |intermittently where AccessDeniedExceptions are occasionally triggered when a userrst attempts to encrypt using the CMK

Which solution should the c0mpany's security specialist recommend'?

Show Suggested Answer Hide Answer
Suggested Answer: D

To avoid AccessDeniedExceptions when users first attempt to encrypt using the CMK, the security specialist should recommend the following solution:

Instruct the engineering team to pass the grant token returned in the CreateGrant response to users. This allows the engineering team to use the grant token as a form of temporary authorization for the grant.

Instruct users to use that grant token in their call to encrypt. This allows the users to use the grant token as a proof that they have permission to use the CMK, and to avoid any eventual consistency issues with the grant creation.


by Dortha at Nov 21, 2025, 10:28 AM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Letha
15 days ago
C could confuse users with random names. D is clearer and more reliable.
upvoted 0 times
...
Meghan
20 days ago
I like B too, but it adds complexity with random tokens.
upvoted 0 times
...
Rosalind
25 days ago
Option A seems like a workaround. Not ideal for a production app.
upvoted 0 times
...
Halina
1 month ago
I agree with D. It ensures users have the correct token for encryption.
upvoted 0 times
...
Adolph
1 month ago
I think option D is the best. It directly uses the grant token from the response.
upvoted 0 times
...
Albina
2 months ago
This question is tricky! I feel like it's testing our understanding of IAM.
upvoted 0 times
...
Ariel
2 months ago
AccessDeniedExceptions? That's surprising! Thought IAM was more reliable.
upvoted 0 times
...
Paris
2 months ago
Definitely agree with D, it keeps things straightforward.
upvoted 0 times
...
Elfrieda
2 months ago
Wait, why would we need a random name for the grant? That seems unnecessary.
upvoted 0 times
...
Ruthann
2 months ago
I think option D is the best choice here.
upvoted 0 times
...
Tracey
3 months ago
Sounds like a classic race condition issue.
upvoted 0 times
...
Dannie
3 months ago
Retry mechanisms every 2 minutes? That's just asking for trouble. Option D is the clear winner here.
upvoted 0 times
...
Elliot
3 months ago
Option B is a bit too convoluted for my liking. I'd go with the simple and elegant solution in option D.
upvoted 0 times
...
Tamesha
3 months ago
Haha, "AccessDeniedExceptions" - sounds like a great band name! But in all seriousness, option D looks like the way to go.
upvoted 0 times
...
Ligia
3 months ago
I feel like retrying every 2 minutes is a bit of a workaround. There must be a more direct solution to handle the AccessDeniedExceptions.
upvoted 0 times
...
Antonette
4 months ago
This seems similar to a practice question we did on IAM permissions. I think passing the grant token from the CreateGrant response makes the most sense, but I could be wrong.
upvoted 0 times
...
Lindsey
4 months ago
I'm a bit hesitant about option B, where the users have to consume a random grant token. That seems like it could introduce additional complexity and potential points of failure. I'd be more inclined to go with option D, as it seems the most direct and straightforward approach to addressing the issue.
upvoted 0 times
...
Della
4 months ago
I remember something about grant tokens being crucial for permissions, but I'm not sure if we should be using random tokens or the ones returned in the response.
upvoted 0 times
...
Felicitas
4 months ago
Okay, let's think this through step-by-step. The users need to be able to encrypt a 512-byte payload using the CMK, and the issue is that they're sometimes getting AccessDeniedExceptions. I'm leaning towards option D, where the engineering team passes the grant token directly to the users to use in their encrypt call. That seems like the most straightforward solution.
upvoted 0 times
...
Brittani
4 months ago
I'm not sure I understand the need for a grant token at all. Shouldn't the users just be able to use the CMK directly?
upvoted 0 times
...
Wilda
5 months ago
I vaguely recall that using a specific grant token is important for ensuring the right permissions, but I can't remember if it should be random or the one provided.
upvoted 0 times
...
Joana
5 months ago
Option D seems like the most straightforward solution. Why complicate things with random tokens or retry mechanisms?
upvoted 0 times
...
Rodolfo
5 months ago
Hmm, this is an interesting one. I think the key here is to focus on how to handle the intermittent AccessDeniedExceptions that are being triggered. The question is asking for a solution, so I'd want to carefully consider each of the options presented.
upvoted 0 times
...
Chaya
5 months ago
I'm a bit confused by this question. It seems like there's a lot of technical details to consider, and I'm not sure I fully understand the IAM KMS CMK grants and how they're being used in this application.
upvoted 0 times
Buddy
4 days ago
I agree! The AccessDeniedExceptions are concerning.
upvoted 0 times
...
Katie
10 days ago
This is definitely a tricky question. IAM KMS can be complex.
upvoted 0 times
...
...

Save Cancel