AWS Certified Solutions Architect – Associate (SAA-C02) — Question 719

A company has an application workflow that uses an AWS Lambda function to download and decrypt files from Amazon S3. These files are encrypted using AWS
Key Management Service (AWS KMS) keys. A solutions architect needs to design a solution that will ensure the required permissions are set correctly.
Which combination of actions accomplish this? (Choose two.)

Answer options

• A. Attach the kms:decrypt permission to the Lambda function's resource policy.
• B. Grant the decrypt permission for the Lambda IAM role in the KMS key's policy.
• C. Grant the decrypt permission for the Lambda resource policy in the KMS key's policy.
• D. Create a new IAM policy with the kms:decrypt permission and attach the policy to the Lambda function.
• E. Create a new IAM role with the kms:decrypt permission and attach the execution role to the Lambda function.

Correct answer: B, E

Explanation

To allow an AWS Lambda function to decrypt KMS-encrypted S3 objects, the Lambda function's execution role must have the necessary permissions, and the KMS key policy must trust that execution role. Option E is correct because Lambda functions require an IAM execution role to interact with other AWS services, which must include the kms:decrypt permission. Option B is correct because the KMS key policy must explicitly grant the decrypt permission to the Lambda function's execution role to allow access.