SAP-C02 第 96 题
题目
A solutions architect needs to implement a client-side encryption mechanism for objects that will be stored in a new Amazon S3 bucket. The solutions architect created a CMK that is stored in AWS Key Management Service (AWS KMS) for this purpose. The solutions architect created the following IAM policy and attached it to an IAM role: During tests, the solutions architect was able to successfully get existing test objects in the S3 bucket. However, attempts to upload a new object resulted in an error message. The error message stated that the action was forbidden. Which action must the solutions architect add to the IAM policy to meet all the requirements?
中文翻译:
解决方案架构师需要为将存储在新 Amazon S3 存储桶中的对象实施客户端加密机制。为此,解决方案架构师创建了一个存储在 AWS Key Management Service (AWS KMS) 中的 CMK。解决方案架构师创建了以下 IAM 策略并将其附加到 IAM 角色: 在测试期间,解决方案架构师能够成功获取 S3 存储桶中的现有测试对象。但是,尝试上传新对象会导致错误消息。错误消息指出该操作被禁止。解决方案架构师必须将哪些操作添加到 IAM 策略才能满足所有要求?
选项
A. kms:GenerateDataKey kms:GenerateDataKey
中文翻译:
kms:生成数据密钥 kms:生成数据密钥
B. kms:GetKeyPolicy kms:GetKeyPolicy
中文翻译:
kms:GetKeyPolicy kms:GetKeyPolicy
C. kms:GetPublicKey kms:GetPublicKey
中文翻译:
kms:GetPublicKey kms:GetPublicKey
D. kms:Sign kms:Sign
中文翻译:
公里:标志 公里:标志
答案
A
解析
正确答案:A 解析: 本题应选择 A。 正确选项: A. kms:生成数据密钥 kms:生成数据密钥 选择理由: 该选项最直接地满足题干中的关键约束。做 SAP-C02 题目时,需要同时对照题干里的限定词,例如最高性能、最低运维开销、成本效益、可靠性、可扩展性、安全性、RTO/RPO、合规要求等。本题相关考点主要包括:S3、IAM、KMS。 排除思路: B、C、D 通常会在协议或服务适配、单点故障、跨区域/高可用设计、运维复杂度、成本控...