AWS Certified Security – Specialty — Question 456

An application team is developing an internal application in its AWS account. Employees will use the application to access their employee benefits information. The application has an Amazon S3 bucket that is encrypted with an AWS Key Management Service (AWS KMS) customer managed key. The application team has configured an S3 gateway VPC endpoint for the application to use.

During testing, an IAM user is unable to download objects from the S3 bucket by using the AWS Management Console. However, other IAM users in the same AWS account can download objects from the S3 bucket.

Which policies or ACL should a security engineer review and modify to resolve this issue? (Choose three.)

Answer options

• A. The KMS customer managed key policy.
• B. The S3 VPC endpoint policy.
• C. The S3 bucket policy.
• D. The S3 ACL.
• E. The IAM policy.
• F. The KMS VPC endpoint policy.

Correct answer: A, C, E

Explanation

To resolve the issue where only a specific IAM user cannot access the KMS-encrypted S3 bucket, the security engineer must verify the permissions governing that specific user's access, which are controlled by the IAM policy, the KMS key policy, and the S3 bucket policy. Since the user is attempting access via the AWS Management Console, VPC endpoint policies (options B and F) are not in the path of the request and thus do not apply. S3 ACLs (option D) are not the appropriate mechanism to troubleshoot this, as modern authorization is managed through IAM, S3 bucket, and KMS key policies.