ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 99 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 99
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

An IAM user receives an Access Denied message when the user attempts to access objects in an Amazon S3 bucket. The user and the S3 bucket are in the same AWS account. The S3 bucket is configured to use server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all of its objects at rest by using a customer managed key from the same AWS account. The S3 bucket has no bucket policy defined. The IAM user has been granted permissions through an IAM policy that allows the kms:Decrypt permission to the customer managed key. The IAM policy also allows the s3:List* and s3:Get* permissions for the S3 bucket and its objects.

Which of the following is a possible reason that the IAM user cannot access the objects in the S3 bucket?

  • A. The IAM policy needs to allow the kms:DescribeKey permission.
  • B. The S3 bucket has been changed to use the AWS managed key to encrypt objects at rest.
  • C. An S3 bucket policy needs to be added to allow the IAM user to access the objects.
  • D. The KMS key policy has been edited to remove the ability for the AWS account to have full access to the key.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by oioi at Nov. 23, 2023, 9:51 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
azure4life
Highly Voted 8 months, 3 weeks ago
Selected Answer: D
The possible reason that the IAM user cannot access the objects in the S3 bucket is that the KMS key policy has been edited to remove the ability for the AWS account to have full access to the key. Since the S3 bucket is using SSE-KMS encryption with a customer managed key, the key policy for that KMS key needs to grant the appropriate permissions to allow decryption of the objects. The IAM policy grants the kms:Decrypt permission, but if the key policy no longer gives the AWS account full access, the decrypt permission will still be denied. Options A and B relate to the kms:DescribeKey permission and AWS managed keys, but a customer managed key is being used here. Option C is incorrect because an S3 bucket policy is not required when using IAM policies for permissions. Therefore, option D that mentions the KMS key policy having inappropriate access for the account is the likely reason for the access being denied.
upvoted 5 times
...
vikasj1in
Most Recent 7 months, 3 weeks ago
The IAM user has been granted the kms:Decrypt permission for the customer managed key used for server-side encryption in the S3 bucket. If the KMS key policy has been modified to restrict access, it might override the IAM user's permissions, resulting in an Access Denied error. It's crucial to ensure that the KMS key policy grants the necessary permissions to the AWS account (and by extension, the IAM user) to perform the required decryption operations.
upvoted 2 times
...
Daniel76
8 months, 1 week ago
Selected Answer: D
If you allow by IAM policy to a key, it still can be denied by key policy (which is another policy) unless you explicitly allows. "Unless the key policy explicitly allows it, you cannot use IAM policies to allow access to a KMS key. Without permission from the key policy, IAM policies that allow permissions have no effect."
upvoted 4 times
Daniel76
8 months, 1 week ago
https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
upvoted 2 times
...
...
kejam
9 months ago
Selected Answer: D
https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-root-enable-iam
upvoted 1 times
...
Aamee
9 months, 1 week ago
Selected Answer: D
The following statement leads me to believe that option D could be the best option: 'The S3 bucket is configured to use server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all of its objects at rest by using a customer managed key from the same AWS account'.
upvoted 1 times
...
[Removed]
9 months, 1 week ago
Selected Answer: D
D is correct
upvoted 2 times
...
oioi
9 months, 2 weeks ago
Selected Answer: D
correct
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago