Which policies should the Security Engineer review and modify to resolve this issue?
(Choose three.)
The CMK policy
The VPC endpoint policy
The S3 bucket policy
The S3 ACL
The IAM policy
Explanations:
The CMK policy must allow the IAM user to use the KMS CMK for decryption since the S3 bucket is encrypted. Without this permission, the IAM user cannot access the encrypted data.
The VPC endpoint policy is not relevant in this case. It controls access over the network path for private VPC resources but does not affect direct permissions for accessing encrypted objects in S3.
The S3 bucket policy should allow the IAM user to access the bucket. Bucket policies define who can access specific resources within the bucket, making this necessary for successful access.
S3 ACLs control access at the object level and are not typically involved in IAM-based access with KMS-encrypted buckets. They also do not manage permissions to decrypt objects.
The IAM policy associated with the user should include permissions to access S3 and KMS. Without this, the user will not have the necessary permissions to download objects from the encrypted bucket.