Which additional step should the solutions architect take to troubleshoot this issue?

By:
In: SAP-C01
Tagged:
With: 1 Comment
A developer reports receiving an Error 403: Access Denied message when they try to download an object from an Amazon S3 bucket.The S3 bucket is accessed using an S3 endpoint inside a VPC, and is encrypted with an AWS KMS key.A solutions architect has verified that the developer is assuming the correct IAM role in the account that allows the object to be downloaded.The S3 bucket policy and the NACL are also valid.

Which additional step should the solutions architect take to troubleshoot this issue?

Ensure that blocking all public access has not been enabled in the S3 bucket.

Verify that the IAM role has permission to decrypt the referenced KMS key.

Verify that the IAM role has the correct trust relationship configured.

Check that local firewall rules are not preventing access to the S3 endpoint.

Explanations:

Enabling “Block all public access” does not impact access from VPC endpoints, as they are intended for private access. Therefore, this setting is not relevant for the developer’s access issue.

If the developer’s IAM role does not have permission to use the KMS key to decrypt the object, it will result in an Access Denied error when trying to access the encrypted S3 object. Verifying the KMS key permissions is crucial.

The trust relationship defines which entities can assume the IAM role. If the role is already confirmed to be assumed correctly, this step is unnecessary for troubleshooting the access issue.

Local firewall rules typically do not affect access to AWS services when using VPC endpoints. If other users can access the bucket without issue, it’s likely not a local firewall problem.

2025-10-18

1 Comment

  1. William
    Author

    I outline that the answer is:
    Verify that the IAM role has permission to decrypt the referenced KMS key.

Leave a Reply

Your email address will not be published. Required fields are marked *

four + ten =