AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company has an application workflow that uses an AWS Lambda function to download and decrypt files from Amazon S3. These files are encrypted using AWS Key Management Service (AWS KMS) keys. A solutions architect needs to design a solution that will ensure the required permissions are set correctly.

Which combination of actions accomplish this? (Choose two.)

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Attach the kms:decrypt permission to the Lambda function's resource policy

Grant the decrypt permission for the Lambda IAM role in the KMS key's policy

Grant the decrypt permission for the Lambda resource policy in the KMS key's policy.

Create a new IAM policy with the kms:decrypt permission and attach the policy to the Lambda function.

Create a new IAM role with the kms:decrypt permission and attach the execution role to the Lambda function.

Explanation:

Explanation

When a Lambda function needs to decrypt files encrypted with AWS KMS keys, the following permissions are required:

KMS Key Policy: The KMS key's policy must grant the kms:Decrypt permission to the Lambda function's IAM role. This is essential because KMS keys have their own resource-based policies that control who can use them.
IAM Role/Permissions: The Lambda function's execution role must have the kms:Decrypt permission in its IAM policy. This allows the Lambda function to make the API call to KMS.

Why B and D are correct:

Option B: Grants the decrypt permission for the Lambda IAM role in the KMS key's policy - This is necessary for the KMS key to allow the Lambda role to use it.
Option D: Create a new IAM policy with the kms:decrypt permission and attach the policy to the Lambda function - This provides the Lambda function with the necessary IAM permissions to call the KMS API.

Why other options are incorrect:

Option A: Lambda functions don't have resource policies for KMS permissions. Resource policies are for services like S3 buckets, not Lambda functions.
Option C: KMS key policies grant permissions to IAM roles/users, not to Lambda resource policies.
Option E: While creating a new IAM role with kms:decrypt permission would work, it's not the most efficient approach. The question asks for the combination that accompl the task, and option D (attaching a policy to the existing role) is more appropriate than creating a completely new role.

Best Practice Approach:

Create an IAM policy with kms:Decrypt permission for the specific KMS key
Attach this policy to the Lambda function's execution role
Ensure the KMS key policy grants kms:Decrypt permission to the Lambda function's IAM role

This two-way permission model ensures both the caller (Lambda) has permission to make the API call and the resource (KMS key) allows the caller to use it.

Powered ByGPT-5.2

Comments

Loading comments...