AWS Certified Solutions Architect – Associate (SAA-C03) — Question 605

A company has an application workflow that uses an AWS Lambda function to download and decrypt files from Amazon S3. These files are encrypted using AWS Key Management Service (AWS KMS) keys. A solutions architect needs to design a solution that will ensure the required permissions are set correctly.

Which combination of actions accomplish this? (Choose two.)

Answer options

• A. Attach the kms:decrypt permission to the Lambda function’s resource policy
• B. Grant the decrypt permission for the Lambda IAM role in the KMS key's policy
• C. Grant the decrypt permission for the Lambda resource policy in the KMS key's policy.
• D. Create a new IAM policy with the kms:decrypt permission and attach the policy to the Lambda function.
• E. Create a new IAM role with the kms:decrypt permission and attach the execution role to the Lambda function.

Correct answer: B, E

Explanation

To successfully decrypt KMS-encrypted files, the Lambda function's IAM execution role must be granted the kms:decrypt permission, and the KMS key policy must also explicitly allow that same IAM execution role to perform the decryption. Lambda resource-based policies control function invocation permissions rather than outbound resource access, making options A and C incorrect. Additionally, IAM policies cannot be attached directly to a Lambda function without an execution role, ruling out option D.