Which combination of actions accomplish this?

By:
On:
In: SAA-C02
Tagged:
With: 0 Comments
A company has an application workflow that uses an AWS Lambda function to download and decrypt files from Amazon S3.These files are encrypted using AWSKey Management Service (AWS KMS) keys.A solutions architect needs to design a solution that will ensure the required permissions are set correctly.

Which combination of actions accomplish this?

(Choose two.)

Attach the kms:decrypt permission to the Lambda function’s resource policy.

Grant the decrypt permission for the Lambda IAM role in the KMS key’s policy.

Grant the decrypt permission for the Lambda resource policy in the KMS key’s policy.

Create a new IAM policy with the kms:decrypt permission and attach the policy to the Lambda function.

Create a new IAM role with the kms:decrypt permission and attach the execution role to the Lambda function.

Explanations:

The Lambda function’s resource policy does not control KMS key permissions. Permissions for KMS are typically handled by IAM roles or the KMS key policy itself.

Granting thekms:decryptpermission in the KMS key policy for the Lambda IAM role allows the Lambda function to decrypt the files in S3 using the KMS key.

The KMS key policy should directly grant permissions to the IAM role, not to a Lambda function’s resource policy. The Lambda resource policy does not control access to the KMS key.

IAM policies are attached to IAM roles, not directly to Lambda functions. Therefore, this is not the correct way to grantkms:decryptpermissions.

Creating a new IAM role with thekms:decryptpermission and attaching it to the Lambda function ensures the Lambda function has the necessary permissions to decrypt the files using the KMS key.

Leave a Reply

Your email address will not be published. Required fields are marked *

13 + nineteen =