Question #1111
A developer has an application running in AWS Account X. The application needs to access an AWS Secrets Manager secret encrypted by an AWS KMS key in AWS Account Y. The application's role has permissions to retrieve the secret from Account Y but cannot decrypt it due to KMS key policies.
The developer must update the KMS key policy in Account Y to allow the role in Account X to decrypt the secret. The solution must follow the principle of least privilege.
Which permissions should be added to the KMS key policy to meet these requirements?
kms:Decrypt and kms:DescribeKey
secretsmanager:GetSecretValue and secretsmanager:DescribeSecret
kms:*
secretsmanager:*
Explanation
The KMS key policy in Account Y must explicitly allow the role in Account X to decrypt the secret. The minimal required permissions are:
1. kms:Decrypt: Allows decryption of the secret.
2. kms:DescribeKey: Required to retrieve key metadata (e.g., key ID, ARN) for decryption.
Why other options are incorrect:
- B and D: Secrets Manager permissions (e.g., GetSecretValue) are irrelevant to KMS key policies. These are already handled by the role's IAM policy in Account X.
- C: Granting kms:* violates the principle of least privilege by allowing full access to the KMS key.
Key Points:
- KMS key policies control decryption permissions, not Secrets Manager.
- Least privilege requires granting only necessary actions (Decrypt + DescribeKey).
- Cross-account access requires explicit KMS key policy permissions.
Answer
The correct answer is: A