Answer-first summary for fast verification
Answer: Add an IAM policy to the QuickSight service role to give QuickSight access to the KMS key that encrypts the S3 bucket., Add the KMS key as a resource that the QuickSight service role can access.
To allow Amazon QuickSight to read an S3 bucket encrypted with AWS KMS in a different account, QuickSight must have cross-account permission to read the bucket AND permission to use the KMS key to decrypt the objects. This requires granting the QuickSight service role an IAM policy allowing KMS `Decrypt` actions (Option D), and updating the KMS key policy in the source account to include the QuickSight service role as a permitted principal to access the key resource (Option E).
Author: Ritesh Yadav
Ultimate access to all questions.
Question 56
A company uses Amazon S3 to store data and Amazon QuickSight to create visualizations. The company has an S3 bucket in an AWS account named HubAccount. The S3 bucket is encrypted by an AWS Key Management Service (AWS KMS) key. The company's QuickSight instance is in a separate account named BI-Account. The company updates the S3 bucket policy to grant access to the QuickSight service role. The company wants to enable cross-account access to allow QuickSight to interact with the S3 bucket. Which combination of steps will meet this requirement? (Choose two.)
A
Use the existing AWS KMS key to encrypt connections from QuickSight to the S3 bucket.
B
Add the S3 bucket as a resource that the QuickSight service role can access.
C
Use AWS Resource Access Manager (AWS RAM) to share the S3 bucket with the BI-Account account.
D
Add an IAM policy to the QuickSight service role to give QuickSight access to the KMS key that encrypts the S3 bucket.
E
Add the KMS key as a resource that the QuickSight service role can access.
No comments yet.