Which policies or ACL should a security engineer review and modify to resolve this issue?

By:
In: SCS-C01
Tagged:
With: 2 Comments
An application team is developing an internal application in its AWS account.Employees will use the application to access their employee benefits information.The application has an Amazon S3 bucket that is encrypted with an AWS Key Management Service (AWS KMS) customer managed key.The application team has configured an S3 gateway VPC endpoint for the application to use.During testing, an IAM user is unable to download objects from the S3 bucket by using the AWS Management Console.However, other IAM users in the same AWS account can download objects from the S3 bucket.

Which policies or ACL should a security engineer review and modify to resolve this issue?

(Choose three.)

The KMS customer managed key policy.

The S3 VPC endpoint policy.

The S3 bucket policy.

The S3 ACL.

The IAM policy.

The KMS VPC endpoint policy.

Explanations:

The KMS customer managed key policy controls access to the KMS key used for encrypting the S3 bucket. If the IAM user does not have the necessary permissions in the key policy to use the KMS key for decryption, they will be unable to download objects from the S3 bucket, even if they have access to the bucket itself.

The S3 VPC endpoint policy governs access to the S3 bucket via the VPC endpoint. While it can restrict access to specific principals or IP addresses, the issue described involves a user unable to access S3 through the AWS Management Console. Therefore, it is less likely to be the source of the problem compared to other options.

The S3 bucket policy defines permissions for the S3 bucket itself. If the IAM user’s access is explicitly denied or not granted in the bucket policy, they would be unable to download objects, even if other users can. This policy needs to be reviewed to ensure that the IAM user has the correct permissions to access the bucket.

S3 Access Control Lists (ACLs) can grant permissions on individual objects or buckets, but they are generally not the primary method of controlling access in modern applications. If the IAM user can access the bucket but not the specific objects, ACLs could be a factor, but since other users can access the bucket, it is less likely to be the root cause here.

The IAM policy attached to the user directly defines what actions they are allowed to perform on AWS resources. If the policy does not explicitly allow thes3:GetObjectaction for the specific S3 bucket, the user will not be able to download objects. Therefore, this IAM policy must be checked and potentially modified to include the necessary permissions.

The KMS VPC endpoint policy would manage access to the KMS service from within a VPC, but it is not directly relevant to S3 access issues. The KMS key policy (option A) is what matters for KMS permissions in relation to the S3 bucket’s encryption, making this option less relevant in the context of the user’s inability to download objects from S3.

2026-03-28

2 Comments

  1. Vincent
    Author

    As far as I can tell, the answer is:
    The KMS customer managed key policy.

  2. Kenneth
    Author

    I believe the answer is:
    The KMS customer managed key policy.

Leave a Reply

Your email address will not be published. Required fields are marked *

12 − 2 =