AWS Certified Security – Specialty — Question 207
An Amazon S3 bucket is encrypted using an AWS KMS CMK. An IAM user is unable to download objects from the S3 bucket using the AWS Management
Console; however, other users can download objects from the S3 bucket.
Which policies should the Security Engineer review and modify to resolve this issue? (Choose three.)
Answer options
- A. The CMK policy
- B. The VPC endpoint policy
- C. The S3 bucket policy
- D. The S3 ACL
- E. The IAM policy
Correct answer: A, C, E
Explanation
The CMK policy must allow the IAM user access to the key used for encryption. Additionally, the S3 bucket policy needs to grant permissions for the user to access the objects, and the IAM policy must also ensure that the user has the necessary permissions to perform the download action. The VPC endpoint policy and S3 ACL are not directly related to individual IAM user permissions for object access in this scenario.