Which combination of actions accomplish this?
(Choose two.)
Attach the kms:decrypt permission to the Lambda function’s resource policy
Grant the decrypt permission for the Lambda IAM role in the KMS key’s policy
Grant the decrypt permission for the Lambda resource policy in the KMS key’s policy.
Create a new IAM policy with the kms:decrypt permission and attach the policy to the Lambda function.
Create a new IAM role with the kms:decrypt permission and attach the execution role to the Lambda function.
Explanations:
Attaching thekms:decryptpermission to the Lambda function’s resource policy is not the recommended approach because AWS Lambda’s resource policy controls access to the function itself, not the decryption of data from Amazon S3.
Granting thekms:decryptpermission for the Lambda IAM role in the KMS key’s policy allows the Lambda function to access and decrypt the files from Amazon S3 using the specified KMS key.
The Lambda function’s resource policy should not have decrypt permissions in the KMS key’s policy. The KMS key policy controls access to the key itself, and it should specify which IAM roles (not Lambda’s resource policy) can perform decryption.
Creating an IAM policy withkms:decryptpermission and attaching it to the Lambda function is not correct because you cannot directly attach IAM policies to Lambda functions. Policies must be attached to IAM roles that Lambda assumes.
Creating an IAM role with thekms:decryptpermission and attaching this IAM role to the Lambda function ensures the Lambda function has the necessary permissions to use the KMS key for decryption.
I estimate that the answer is:
Grant the decrypt permission for the Lambda IAM role in the KMS key’s policy