AWS Certified Solutions Architect – Professional — Question 971

A developer reports receiving an Error 403: Access Denied message when they try to download an object from an Amazon S3 bucket. The S3 bucket is accessed using an S3 endpoint inside a VPC, and is encrypted with an AWS KMS key. A solutions architect has verified that the developer is assuming the correct IAM role in the account that allows the object to be downloaded. The S3 bucket policy and the NACL are also valid.
Which additional step should the solutions architect take to troubleshoot this issue?

Answer options

• A. Ensure that blocking all public access has not been enabled in the S3 bucket.
• B. Verify that the IAM role has permission to decrypt the referenced KMS key.
• C. Verify that the IAM role has the correct trust relationship configured.
• D. Check that local firewall rules are not preventing access to the S3 endpoint.

Correct answer: B

Explanation

Because the Amazon S3 object is encrypted with an AWS KMS key, any entity attempting to retrieve it must have both S3 read permissions and the kms:Decrypt permission for that specific KMS key. If the KMS key policy or the IAM policy does not explicitly permit decryption, S3 will return an Access Denied (403) error. Other options, such as checking the trust relationship, are irrelevant because the developer has already successfully assumed the IAM role.