AWS Certified Security – Specialty (SCS-C02) — Question 150

A developer operations team uses AWS Identity and Access Management (IAM) to manage user permissions. The team created an Amazon EC2 instance profile role that uses an AWS managed ReadOnlyAccess policy. When an application that is running on Amazon EC2 tries to read a file from an encrypted Amazon S3 bucket, the application receives an AccessDenied error.

The team administrator has verified that the S3 bucket policy allows everyone in the account to access the S3 bucket. There is no object ACL that is attached to the file.

What should the administrator do to fix the IAM access issue?

Answer options

• A. Edit the ReadOnlyAccess policy to add kms:Decrypt actions
• B. Add the EC2 IAM role as the authorized Principal to the S3 bucket policy
• C. Attach an inline policy with kms:Decrypt permissions to the IAM role
• D. Attach an inline policy with S3:* permissions to the IAM role

Correct answer: C

Explanation

The correct answer is C because the application needs the kms:Decrypt permission to access the encrypted objects in the S3 bucket. Options A and D do not specifically address the decryption requirement, while option B does not directly grant the needed permission to the IAM role.