New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon SCS-C03 Exam - Topic 1 Question 5 Discussion

Actual exam question for Amazon's SCS-C03 exam
Question #: 5
Topic #: 1
[All SCS-C03 Questions]

A company's application team needs a new AWS Key Management Service (AWS KMS) customer managed key to use with Amazon S3. The company's security policy requires separate keys for different AWS services to limit security exposure.

How can a security engineer limit the KMS customer managed key to work with only Amazon S3?

Show Suggested Answer Hide Answer
Suggested Answer: B

AWS KMS provides condition keys that can be used to tightly scope how and where a customer managed key can be used. According to the AWS Certified Security -- Specialty Study Guide, the kms:ViaService condition key is specifically designed to restrict key usage to requests that originate from a particular AWS service in a specific Region.

By configuring the key policy to allow KMS cryptographic operations only when kms:ViaService equals s3.<region>.amazonaws.com, the security engineer ensures that the key can be used exclusively by Amazon S3. Even if other IAM principals have permissions to use the key, the key cannot be used by other services such as Amazon EC2, Amazon RDS, or AWS Lambda.

Option A is incorrect because AWS services do not assume identities in key policies. Options C and D modify IAM role policies, which do not control how a KMS key is used by AWS services. AWS documentation clearly states that service-level restrictions must be enforced at the KMS key policy level using condition keys.

This approach enforces strong separation of duties and limits blast radius, which aligns with AWS security best practices.

Referenced AWS Specialty Documents:

AWS Certified Security -- Specialty Official Study Guide

AWS KMS Key Policy Condition Keys

AWS KMS Best Practices


by Jessenia at Jan 25, 2026, 07:58 PM

Limited Time Offer

25%

Off

Get Premium SCS-C03 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Kristin
5 days ago
I'm not entirely sure, but I remember something about key policies being important for limiting access. Maybe option A could work too?
upvoted 0 times
...
Craig
10 days ago
I think option B sounds right because it mentions the kms:ViaService condition key, which seems like a way to restrict access to just S3.
upvoted 0 times
...
Jenelle
15 days ago
I'm a little confused on this one. I was thinking option C might work, but now I'm not so sure. Maybe I should re-read the question and think it through again. Don't want to rush into the wrong answer here.
upvoted 0 times
...
Winfred
20 days ago
This seems pretty straightforward to me. I'd go with option B - using the kms:ViaService condition key to restrict the key policy. That way we can be sure the key can only be used for S3 and nothing else. Seems like the cleanest solution.
upvoted 0 times
...
Josephine
25 days ago
Okay, I've got an idea. I think option D could be a good approach. If we configure the IAM role policy to only allow S3 operations when they're combined with the KMS key, that should give us the separation of concerns that the security policy requires.
upvoted 0 times
...
Lynette
1 month ago
Hmm, I'm a bit unsure about this one. I was thinking option A might work, but I'm not 100% sure if that would be enough to fully limit the key to just S3. Maybe I should double-check the documentation on key policies.
upvoted 0 times
...
Ilene
1 month ago
I think option B is the way to go here. Limiting the key policy to only allow KMS actions when the kms:ViaService condition matches Amazon S3 seems like the most direct way to restrict the key's usage.
upvoted 0 times
...

Save Cancel