AWS Certified Security – Specialty — Question 155

A company is using AWS Organizations to manage multiple AWS accounts. The company has an application that allows users to assume the AppUser IAM role to download files from an Amazon S3 bucket that is encrypted with an AWS KMS CMK. However, when users try to access the files in the S3 bucket, they get an access denied error.
What should a security engineer do to troubleshoot this error? (Choose three.)

Answer options

• A. Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK.
• B. Ensure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket.
• C. Ensure the CMK was created before the S3 bucket.
• D. Ensure the S3 block public access feature is enabled for the S3 bucket.
• E. Ensure that automatic key rotation is disabled for the CMK.
• F. Ensure the SCPs within Organizations allow access to the S3 bucket.

Correct answer: A, B, F

Explanation

The correct answers A, B, and F address permissions issues: A ensures the AppUser role can decrypt the files using the KMS key, B confirms the role can access the objects in the S3 bucket, and F checks that the Service Control Policies permit access. Options C, D, and E do not directly relate to permissions needed for access and therefore are not relevant for troubleshooting the access denied error.