Task Statement 1.3: Determine appropriate data security controls.
📘AWS Certified Solutions Architect – (SAA-C03)
1. Introduction
In AWS, encryption protects sensitive data such as:
- Database records
- Application secrets
- Backup files
- Logs
- Personally identifiable information (PII)
However, encryption alone is not enough. You must control who can use the encryption keys.
For the SAA-C03 exam, you must understand how to:
- Control access to encryption keys
- Use AWS policies correctly
- Apply the principle of least privilege
- Secure data at rest using AWS Key Management Service (KMS)
The main service used for encryption key management in AWS is:
👉 AWS Key Management Service (AWS KMS)
2. What Is AWS KMS?
AWS KMS is a managed service that allows you to:
- Create encryption keys
- Control access to keys
- Rotate keys
- Monitor key usage
- Integrate encryption with other AWS services
Instead of manually managing encryption keys, AWS KMS securely stores and controls them for you.
3. Why Are Access Policies for Encryption Keys Important?
Encryption keys are extremely sensitive.
If someone can:
- Use a key → They can decrypt data
- Delete a key → Data may become permanently unreadable
- Modify key policy → They can give themselves access
Therefore, controlling key access is critical.
4. Types of KMS Keys (Exam Focus)
For the SAA-C03 exam, understand:
1️⃣ AWS Managed Keys
- Automatically created by AWS services
- Managed by AWS
- Limited control over policies
2️⃣ Customer Managed Keys (CMKs)
- Created by you
- Full control over:
- Key policy
- IAM policy
- Rotation
- Permissions
⚠️ Exam Tip:
If the question says you need fine-grained access control, choose Customer Managed Keys.
5. How Access Control Works in AWS KMS
Access to encryption keys is controlled using:
- Key Policies (Primary control)
- IAM Policies
- Grants
All three may be tested in the exam.
6. Key Policies (Most Important for Exam)
A key policy is a special resource-based policy attached directly to the KMS key.
Without a key policy allowing access → Nobody can use the key.
Key Policy Characteristics:
- Required for every KMS key
- Defines who can:
- Encrypt
- Decrypt
- Generate data keys
- Delete the key
- Modify the key policy
Example Key Policy Structure (Simplified)
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::123456789012:role/AppRole"},
"Action": [
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": "*"
}
This allows only the AppRole to encrypt and decrypt.
7. IAM Policies and KMS
IAM policies are identity-based policies attached to:
- Users
- Groups
- Roles
⚠️ Important Exam Rule:
For a user/role to use a KMS key:
- The key policy must allow it
- AND the IAM policy must allow it
Both must permit access.
If either denies access → Access is denied.
8. Key Policy vs IAM Policy (Very Important)
| Feature | Key Policy | IAM Policy |
|---|---|---|
| Attached to | KMS Key | IAM User/Role |
| Required? | Yes | Optional |
| Controls key access? | Yes (primary control) | Yes (if enabled in key policy) |
Common Exam Scenario:
If a user has IAM permission but the key policy does not allow them → They cannot use the key.
9. Grants (Temporary Access)
Grants allow temporary access to use a KMS key.
Used when:
- AWS services need to use a key on your behalf
- EC2 encrypts EBS volumes
- Lambda decrypts environment variables
Grants are:
- Lightweight
- Temporary
- Automatically created by AWS services
For SAA exam:
Know that grants allow temporary delegated access without modifying key policy.
10. Cross-Account Access to KMS Keys
You can allow another AWS account to use your KMS key.
This requires:
- Key policy in Account A allowing Account B
- IAM policy in Account B allowing access
Both sides must configure permissions correctly.
⚠️ Exam Scenario:
If cross-account encryption is required → Use key policy + IAM policy in both accounts.
11. Common KMS Permissions (Know for Exam)
You should recognize these actions:
kms:Encryptkms:Decryptkms:GenerateDataKeykms:DescribeKeykms:CreateGrantkms:ScheduleKeyDeletionkms:PutKeyPolicy
12. Principle of Least Privilege (Very Important)
Always grant only necessary permissions.
Example:
✔ Application server:
- kms:Encrypt
- kms:Decrypt
❌ Do NOT allow:
- kms:ScheduleKeyDeletion
- kms:PutKeyPolicy
For the exam:
If a question mentions security best practice → Choose least privilege.
13. Separation of Duties (Common Scenario)
Good design separates:
- Key administrators
- Key users
Example:
| Role | Permissions |
|---|---|
| Security Team | Create and manage keys |
| Application Role | Encrypt/Decrypt only |
This prevents application developers from modifying key policies.
14. Key Deletion Protection
When deleting a KMS key:
- You must schedule deletion (7–30 days)
- You cannot instantly delete it
This protects against accidental data loss.
⚠️ If the key is deleted → Encrypted data becomes unreadable.
Exam may test this risk.
15. Automatic Key Rotation
For customer managed keys:
- Enable automatic rotation (once per year)
- Improves security
- Does not require re-encryption of data
Exam Tip:
If question asks for improved security with minimal operational overhead → Enable automatic rotation.
16. Multi-Region Keys (Advanced but Exam-Relevant)
KMS supports multi-Region keys:
- Same key material replicated in multiple regions
- Used for disaster recovery
- Keeps encryption consistent across regions
Choose this when:
- Application runs in multiple regions
- Need consistent encryption key
17. Monitoring and Logging Key Usage
All KMS API calls are logged in:
👉 AWS CloudTrail
This allows you to:
- Monitor who used the key
- Detect unauthorized activity
- Audit compliance
For exam:
If auditing encryption key usage is required → Use CloudTrail.
18. Integration with Other AWS Services
Many AWS services integrate with KMS:
- Amazon S3
- Amazon EBS
- Amazon RDS
- AWS Lambda
Example IT Use Case:
- S3 bucket stores confidential reports
- Use customer managed key
- Only Finance role can decrypt
- Security team manages key policy
This is how KMS access policies are used in real IT environments.
19. Common Exam Scenarios
Scenario 1:
Application cannot decrypt data.
Possible cause:
- IAM policy allows access
- But key policy does not
Correct answer:
Update key policy.
Scenario 2:
Need strict control over who can use encryption keys.
Correct choice:
Customer Managed Key + custom key policy.
Scenario 3:
Need temporary access for AWS service.
Correct choice:
Grant.
Scenario 4:
Need audit trail of key usage.
Correct choice:
CloudTrail logging.
20. Common Mistakes (Exam Traps)
❌ Assuming IAM policy alone is enough
❌ Giving full KMS access to application roles
❌ Deleting key without understanding impact
❌ Using AWS managed key when fine-grained control is required
21. Final Exam Summary (Must Remember)
For SAA-C03, you must clearly understand:
✅ What AWS KMS does
✅ Difference between key policy and IAM policy
✅ Both must allow access
✅ Use least privilege
✅ Use customer managed keys for fine control
✅ Understand grants
✅ Enable rotation when required
✅ Monitor with CloudTrail
✅ Cross-account requires policy on both sides
Final Simple Explanation (For Non-IT Learners)
Think of encryption keys like master passwords for protected data.
AWS KMS:
- Stores the master password
- Controls who can use it
- Logs every time someone uses it
- Prevents accidental deletion
Key policies are the rules that say:
- Who can use the key
- Who can manage the key
- Who cannot touch it
For the AWS exam, remember:
👉 Encryption security is not just about encrypting data.
👉 It is about controlling who can use the encryption key.
That is the core concept tested in this section.
