What should a security engineer do to troubleshoot this error?
(Choose three.)
Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK.
Ensure the S3 bucket policy allows the AppUser role to have permission to get objects for the S3 bucket.
Ensure the CMK was created before the S3 bucket.
Ensure the S3 block public access feature is enabled for the S3 bucket.
Ensure that automatic key rotation is disabled for the CMK.
Ensure the SCPs within Organizations allow access to the S3 bucket.
Explanations:
The KMS policy must explicitly allow the AppUser role permission to decrypt using the CMK. Without this, users won’t be able to decrypt the objects in the S3 bucket.
The S3 bucket policy must allow the AppUser role permission to access the objects in the bucket. Without this, users will be denied access to the objects, even if they can decrypt them.
Service Control Policies (SCPs) in AWS Organizations can restrict access to certain resources. If an SCP prevents access to S3 or KMS, the users will not be able to access the files in the S3 bucket.
The CMK does not need to be created before the S3 bucket. The order of creation is not relevant as long as the necessary permissions are granted to the resources.
Enabling S3 block public access only prevents public access to the bucket and does not affect the IAM roles or KMS permissions, so it is not relevant to this issue.
Automatic key rotation is unrelated to this issue. Key rotation does not affect the ability to decrypt if the correct permissions are in place.
In my opinion, the answer is:
Ensure the KMS policy allows the AppUser role to have permission to decrypt for the CMK.