Answer-first summary for fast verification
Answer: Grant the decrypt permission for the Lambda IAM role in the KMS key's policy, Create a new IAM policy with the kms:decrypt permission and attach the policy to the Lambda function.
## Explanation When a Lambda function needs to decrypt files encrypted with AWS KMS keys, the following permissions are required: 1. **KMS Key Policy**: The KMS key's policy must grant the `kms:Decrypt` permission to the Lambda function's IAM role. This is essential because KMS keys have their own resource-based policies that control who can use them. 2. **IAM Role/Permissions**: The Lambda function's execution role must have the `kms:Decrypt` permission in its IAM policy. This allows the Lambda function to make the API call to KMS. **Why B and D are correct:** - **Option B**: Grants the decrypt permission for the Lambda IAM role in the KMS key's policy - This is necessary for the KMS key to allow the Lambda role to use it. - **Option D**: Create a new IAM policy with the kms:decrypt permission and attach the policy to the Lambda function - This provides the Lambda function with the necessary IAM permissions to call the KMS API. **Why other options are incorrect:** - **Option A**: Lambda functions don't have resource policies for KMS permissions. Resource policies are for services like S3 buckets, not Lambda functions. - **Option C**: KMS key policies grant permissions to IAM roles/users, not to Lambda resource policies. - **Option E**: While creating a new IAM role with kms:decrypt permission would work, it's not the most efficient approach. The question asks for the combination that accompl the task, and option D (attaching a policy to the existing role) is more appropriate than creating a completely new role. **Best Practice Approach:** 1. Create an IAM policy with `kms:Decrypt` permission for the specific KMS key 2. Attach this policy to the Lambda function's execution role 3. Ensure the KMS key policy grants `kms:Decrypt` permission to the Lambda function's IAM role This two-way permission model ensures both the caller (Lambda) has permission to make the API call and the resource (KMS key) allows the caller to use it.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company has an application workflow that uses an AWS Lambda function to download and decrypt files from Amazon S3. These files are encrypted using AWS Key Management Service (AWS KMS) keys. A solutions architect needs to design a solution that will ensure the required permissions are set correctly.
Which combination of actions accomplish this? (Choose two.)
A
Attach the kms:decrypt permission to the Lambda function's resource policy
B
Grant the decrypt permission for the Lambda IAM role in the KMS key's policy
C
Grant the decrypt permission for the Lambda resource policy in the KMS key's policy.
D
Create a new IAM policy with the kms:decrypt permission and attach the policy to the Lambda function.
E
Create a new IAM role with the kms:decrypt permission and attach the execution role to the Lambda function.