🔥 3-day streak
AWS Certified Data Engineer - Associate82 / 159
Question 82 of 159

A data engineering team runs a Glue ETL job under an IAM role that must decrypt objects in an S3 bucket encrypted with a customer managed KMS key. The KMS key is owned by a separate security team who manages the key policy centrally and refuses to add every new consumer role directly into the key policy. The security team wants to allow the Glue role to perform decrypt operations while retaining full control over the key and enabling the permission to be revoked programmatically at any time without editing the key policy. Which approach best meets these requirements?

Reviewed for accuracy · Report an issueNext question