Answer-first summary for fast verification
Answer: The KMS key policy has been edited to remove the ability for the AWS account to have full access to the key.
The correct answer is D: The KMS key policy has been edited to remove the ability for the AWS account to have full access to the key. Even though the IAM user has permissions granted through an IAM policy, access to KMS-encrypted resources also depends on the key policy. If the KMS key policy does not allow the IAM user (or the account) appropriate permissions, the user will receive an 'Access Denied' error. Since the S3 bucket uses SSE-KMS with a customer managed key, it is crucial that the key policy grants the necessary permissions to decrypt the objects.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
An IAM user encounters an 'Access Denied' error when trying to access objects in an Amazon S3 bucket within the same AWS account. The S3 bucket employs server-side encryption with AWS KMS keys (SSE-KMS) for all its objects at rest, utilizing a customer managed key from the same account. There is no bucket policy in place for the S3 bucket. The IAM user has been granted permissions via an IAM policy that includes kms:Decrypt for the customer managed key, as well as s3:List* and s3:Get* permissions for the S3 bucket and its objects. What might be the underlying cause preventing the IAM user from accessing the objects in the S3 bucket?
A
The IAM policy needs to allow the kms:DescribeKey permission.
B
The S3 bucket has been changed to use the AWS managed key to encrypt objects at rest.
C
An S3 bucket policy needs to be added to allow the IAM user to access the objects.
D
The KMS key policy has been edited to remove the ability for the AWS account to have full access to the key.