Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Amazon Exam SCS-C02 Topic 2 Question 9 Discussion

Actual exam question for Amazon's SCS-C02 exam
Question #: 9
Topic #: 2
[All SCS-C02 Questions]

An IAM user receives an Access Denied message when the user attempts to access objects in an Amazon S3 bucket. The user and the S3 bucket are in the same AWS account. The S3 bucket is configured to use server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all of its objects at rest by using a customer managed key from the same AWS account. The S3 bucket has no bucket policy defined. The IAM user has been granted permissions through an IAM policy that allows the kms:Decrypt permission to the customer managed key. The IAM policy also allows the s3:List* and s3:Get* permissions for the S3 bucket and its objects.

Which of the following is a possible reason that the IAM user cannot access the objects in the S3 bucket?

Show Suggested Answer Hide Answer
Suggested Answer: D

The possible reason that the IAM user cannot access the objects in the S3 bucket is D. The KMS key policy has been edited to remove the ability for the AWS account to have full access to the key.

This answer is correct because the KMS key policy is the primary way to control access to the KMS key, and it must explicitly allow the AWS account to have full access to the key. If the KMS key policy has been edited to remove this permission, then the IAM policy that grants kms:Decrypt permission to the IAM user has no effect, and the IAM user cannot decrypt the objects in the S3 bucket12.

The other options are incorrect because:

A) The IAM policy does not need to allow the kms:DescribeKey permission, because this permission is not required for decrypting objects in S3 using SSE-KMS. The kms:DescribeKey permission allows getting information about a KMS key, such as its creation date, description, and key state3.

B) The S3 bucket has not been changed to use the AWS managed key to encrypt objects at rest, because this would not cause an Access Denied message for the IAM user. The AWS managed key is a default KMS key that is created and managed by AWS for each AWS account and Region. The IAM user does not need any permissions on this key to use it for SSE-KMS4.

C) An S3 bucket policy does not need to be added to allow the IAM user to access the objects, because the IAM user already has s3:List* and s3:Get* permissions for the S3 bucket and its objects through an IAM policy. An S3 bucket policy is an optional way to grant cross-account access or public access to an S3 bucket5.


1: Key policies in AWS KMS 2: Using server-side encryption with AWS KMS keys (SSE-KMS) 3: AWS KMS API Permissions Reference 4: Using server-side encryption with Amazon S3 managed keys (SSE-S3) 5: Bucket policy examples

Contribute your Thoughts:

Dexter
8 months ago
Haha, good one Cassie. But you're absolutely right, the KMS key policy is the most likely culprit here. If the IAM user doesn't have the necessary permissions on the key, they won't be able to access the encrypted objects in the S3 bucket.
upvoted 0 times
Trinidad
8 months ago
D: The KMS key policy has been edited to remove the ability for the AWS account to have full access to the key.
upvoted 0 times
...
Terina
8 months ago
C: An S3 bucket policy needs to be added to allow the IAM user to access the objects.
upvoted 0 times
...
Phyliss
8 months ago
B: I think the S3 bucket has been changed to use the AWS managed key to encrypt objects at rest.
upvoted 0 times
...
Kenneth
8 months ago
A: The IAM policy needs to allow the kms:DescribeKey permission.
upvoted 0 times
...
...
Cassie
8 months ago
You know, I was thinking the same thing. The question specifically mentions that the S3 bucket is using a customer managed key for encryption, so the KMS key policy is probably the key (no pun intended) to solving this problem.
upvoted 0 times
...
Lynda
8 months ago
Yeah, my initial thought is that it might have something to do with the KMS key policy. If the key policy has been edited to remove the account's full access, that could definitely be the issue.
upvoted 0 times
...
Tommy
8 months ago
Hmm, this seems like a tricky one. The user has the right permissions in the IAM policy, but is still getting an Access Denied message. I wonder if there's something else going on with the KMS key policy or the S3 bucket configuration.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77