What is the MOST likely cause of this error?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A company’s security engineer has configured a client account to capture AWS CloudTrail logs that are then sent to an Amazon S3 bucket.The S3 bucket that stores these CloudTrail logs has always been configured to use AWS Key Management Service (AWS KMS) with the default KMS key (aws/s3) for encryption.Recently, the company changed the key on the S3 bucket to a new KMS key.Since the modification of the bucket key, the security engineer cannot retrieve new CloudTrail log files that are written to the S3 bucket.The security engineer receives the following error message: “An error occurred (AccessDenied) when calling the GetObject operation: Access Denied”.Log files that were written to the S3 bucket before the bucket key was changed are still accessible.The company used the new KMS key to encrypt other S3 buckets, and the same error is occurring with those S3 buckets.

What is the MOST likely cause of this error?

The security engineer’s IAM user does not have encrypt and decrypt permissions for the new KMS key.

The security engineer’s IAM user does not have administrative permissions for the new KMS key.

The S3 bucket policy needs modification to allow users to access objects that are encrypted with the new KMS key.

The S3 bucket policy needs modification to allow the security engineer’s IAM user to access objects in the S3 bucket.

Explanations:

The error is most likely due to the security engineer’s IAM user not having the appropriate permissions to decrypt objects encrypted with the new KMS key. AWS KMS permissions (such askms:Decrypt) are required to retrieve the encrypted objects from S3.

Administrative permissions for the KMS key are not required to decrypt or access the objects, but rather specific decrypt permissions for the key associated with the S3 bucket are necessary.

The issue is not related to the S3 bucket policy but to the permissions on the KMS key. S3 bucket policies are generally used to control access to the S3 objects, but this issue is caused by a lack of KMS decryption permissions.

The S3 bucket policy typically governs access to the objects, but in this case, the issue is related to KMS permissions, not the S3 bucket policy. The IAM user needs the correct permissions for the KMS key rather than the bucket policy modification.

2025-10-04

1 Comment

  1. Elizabeth
    Author

    I rank that the answer is:
    The security engineer’s IAM user does not have encrypt and decrypt permissions for the new KMS key.

Leave a Reply

Your email address will not be published. Required fields are marked *

one × four =