AWS Certified Security – Specialty — Question 360

An IAM user receives an Access Denied message when the user attempts to access objects in an Amazon S3 bucket. The user and the S3 bucket are in the same AWS account. The S3 bucket is configured to use server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all of its objects at rest by using a customer managed key from the same AWS account. The S3 bucket has no bucket policy defined. The IAM user has been granted permissions through an IAM policy that allows the kms:Decrypt permission to the customer managed key. The IAM policy also allows the s3:List* and s3:Get* permissions for the S3 bucket and its objects.

Which of the following is a possible reason that the IAM user cannot access the objects in the S3 bucket?

Answer options

• A. The IAM policy needs to allow the kms:DescribeKey permission.
• B. The S3 bucket has been changed to use the AWS managed key to encrypt objects at rest.
• C. An S3 bucket policy needs to be added to allow the IAM user to access the objects.
• D. The KMS key policy has been edited to remove the ability for the AWS account to have full access to the key.

Correct answer: D

Explanation

For an IAM policy to successfully grant access to a customer managed KMS key, the KMS key policy must authorize the parent AWS account to delegate those permissions. If the KMS key policy was edited to remove the default statement granting the AWS account full access, any permissions granted solely via IAM policies (such as kms:Decrypt) will be ineffective, resulting in an Access Denied error. The other options are incorrect because s3:Get* permissions alone are sufficient for S3 access within the same account without a bucket policy, and kms:DescribeKey is not required to decrypt objects.