Which policies should the Security Engineer review and modify to resolve this issue?

By: study aws cloud

Tagged: Security Specialty

With: 1 Comment

An Amazon S3 bucket is encrypted using an AWS KMS CMK.An IAM user is unable to download objects from the S3 bucket using the AWS ManagementConsole; however, other users can download objects from the S3 bucket.

Which policies should the Security Engineer review and modify to resolve this issue?

(Choose three.)

The CMK policy

The VPC endpoint policy

The S3 bucket policy

The S3 ACL

The IAM policy

Explanations:

The CMK policy must allow the IAM user to use the KMS CMK for decryption since the S3 bucket is encrypted. Without this permission, the IAM user cannot access the encrypted data.

The VPC endpoint policy is not relevant in this case. It controls access over the network path for private VPC resources but does not affect direct permissions for accessing encrypted objects in S3.

The S3 bucket policy should allow the IAM user to access the bucket. Bucket policies define who can access specific resources within the bucket, making this necessary for successful access.

S3 ACLs control access at the object level and are not typically involved in IAM-based access with KMS-encrypted buckets. They also do not manage permissions to decrypt objects.

The IAM policy associated with the user should include permissions to access S3 and KMS. Without this, the user will not have the necessary permissions to download objects from the encrypted bucket.

Previous Post: If the call to the CloudWatch APIs has different dimensions, but the same metric name, how will CloudWatch treat all the requests?

Next Post: Which solution will meet these requirements?

1 Comment

Author

From what I’ve seen, the answer is:
The CMK policy

Noah

2 hours ago

Permalink

Reply

Leave a Reply Cancel reply