🔥 3-day streak
AWS Certified Security - Specialty77 / 157
Question 77 of 157
A security engineer manages a single AWS KMS customer managed key used by multiple project teams in the same account. Compliance requires that a principal be allowed to call kms:Decrypt only when the data key was originally encrypted for that principal's own project, without creating a separate KMS key per team. Each project's EC2 instances assume a role tagged with Project=<name>, and applications pass an encryption context of {"project":"<name>"} on every Encrypt call. Which approach enforces this requirement using one shared KMS key?
Reviewed for accuracy · Report an issueNext question