AWS Certified Security – Specialty — Question 480

An Amazon EC2 instance is denied access to a newly created AWS KMS CMK used for decrypt actions. The environment has the following configuration:
✑ The instance is allowed the kms:Decrypt action in its IAM role for all resources
✑ The AWS KMS CMK status is set to enabled
✑ The instance can communicate with the KMS API using a configured VPC endpoint
What is causing the issue?

Answer options

• A. The kms:GenerateDataKey permission is missing from the EC2 instance's IAM role
• B. The ARN tag on the CMK contains the EC2 instance's ID instead of the instance's ARN
• C. The kms:Encrypt permission is missing from the EC2 IAM role
• D. The KMS CMK key policy that enables IAM user permissions is missing

Correct answer: D

Explanation

For an IAM policy to successfully grant permissions to a KMS key, the KMS CMK's key policy must explicitly contain a statement that enables IAM user permissions (typically by trusting the AWS account root principal). Without this authorization in the key policy, any permissions defined solely in the EC2 instance's IAM role are ignored. Other permissions like kms:Encrypt or kms:GenerateDataKey are not required for decryption-only operations, and tag mismatches do not cause this specific IAM block.