Which of the following actions will resolve the access denied error?

By:
On:
In: SCS-C01
Tagged:
With: 0 Comments
The AWS Systems Manager Parameter Store is being used to store database passwords used by an AWS Lambda function.Because this is sensitive data, the parameters are stored as type SecureString and protected by an AWS KMS key that allows access through IAM.When the function executes, this parameter cannot be retrieved as the result of an access denied error.

Which of the following actions will resolve the access denied error?

Update the ssm.amazonaws.com principal in the KMS key policy to allow kms: Decrypt.

Update the Lambda configuration to launch the function in a VPC.

Add a policy to the role that the Lambda function uses, allowing kms: Decrypt for the KMS key.

Add lambda.amazonaws.com as a trusted entity on the IAM role that the Lambda function uses.

Explanations:

Updating thessm.amazonaws.comprincipal in the KMS key policy to allowkms:Decryptis not directly relevant because the Lambda function needs permissions related to its own execution role to access the SecureString parameters, not SSM’s principal.

Launching the Lambda function in a VPC does not resolve the access denied error related to retrieving parameters from the Parameter Store, as the issue is tied to IAM permissions for KMS and not network access.

Adding a policy to the IAM role that the Lambda function uses, allowingkms:Decryptfor the specific KMS key, directly addresses the access denied error, enabling the Lambda function to decrypt the SecureString parameters.

Addinglambda.amazonaws.comas a trusted entity on the IAM role does not resolve the access denied issue. The trust relationship does not affect permissions for accessing KMS; the permissions must be set within the policy of the role itself.

Leave a Reply

Your email address will not be published. Required fields are marked *

2 × two =