AWS Certified Developer – Associate — Question 409

A developer has created a new IAM user that has the s3:PutObject permission to write to a specific Amazon S3 bucket. The S3 bucket uses server-side encryption with AWS KMS managed keys (SSE-KMS) as the default encryption. When an application uses the access key and secret key of the IAM user to call the PutObject API operation, the application receives an access denied error.
What should the developer do to resolve this error?

Answer options

• A. Update the policy of the IAM user to allow the s3:EncryptionConfiguration action.
• B. Update the bucket policy of the S3 bucket to allow the IAM user to upload objects.
• C. Update the policy of the IAM user to allow the kms:GenerateDataKey action.
• D. Update the ACL of the S3 bucket to allow the IAM user to upload objects.

Correct answer: C

Explanation

When uploading an object to an Amazon S3 bucket encrypted with SSE-KMS, the client requires permission to generate a data key from AWS KMS to encrypt the payload. Granting the kms:GenerateDataKey permission in the IAM user's policy resolves the access denied error by allowing the user to interact with the encryption key. Modifying bucket policies, ACLs, or S3 encryption configuration actions does not address the missing KMS cryptographic permissions.