Which policies should the Security Engineer review and modify to resolve this issue?

By:
In: SCS-C01
Tagged:
With: 2 Comments
An Amazon S3 bucket is encrypted using an AWS KMS CMK.An IAM user is unable to download objects from the S3 bucket using the AWS ManagementConsole; however, other users can download objects from the S3 bucket.

Which policies should the Security Engineer review and modify to resolve this issue?

(Choose three.)

The CMK policy

The VPC endpoint policy

The S3 bucket policy

The S3 ACL

The IAM policy

Explanations:

The CMK policy must allow the IAM user to use the KMS CMK for decryption since the S3 bucket is encrypted. Without this permission, the IAM user cannot access the encrypted data.

The VPC endpoint policy is not relevant in this case. It controls access over the network path for private VPC resources but does not affect direct permissions for accessing encrypted objects in S3.

The S3 bucket policy should allow the IAM user to access the bucket. Bucket policies define who can access specific resources within the bucket, making this necessary for successful access.

S3 ACLs control access at the object level and are not typically involved in IAM-based access with KMS-encrypted buckets. They also do not manage permissions to decrypt objects.

The IAM policy associated with the user should include permissions to access S3 and KMS. Without this, the user will not have the necessary permissions to download objects from the encrypted bucket.

2026-03-30

2 Comments

  1. Noah
    Author

    From what I’ve seen, the answer is:
    The CMK policy

  2. Kathy
    Author

    If memory serves me right, the answer is:
    The CMK policy

Leave a Reply

Your email address will not be published. Required fields are marked *

thirteen − 7 =