🔥 3-day streak
AWS Certified Developer - Associate82 / 150
Question 82 of 150
A developer is building a document-processing service where each customer's files are encrypted with a shared KMS customer managed key. A downstream Lambda function must be able to decrypt only files belonging to a specific tenant, identified by a tenant ID that is passed as encryption context during encryption. The team wants to grant the Lambda's execution role temporary decrypt permission that is scoped so it can only decrypt data encrypted with that tenant's encryption context, without editing the key policy. Which approach meets these requirements?
Reviewed for accuracy · Report an issueNext question