🔥 3-day streak
AWS Certified Developer - Associate84 / 150
Question 84 of 150
A developer creates a customer managed KMS key to encrypt sensitive financial records stored in an S3 bucket. Company policy requires that only a specific IAM role named DataProcessorRole be able to decrypt these records, and no other principal in the account — including administrators — should be able to perform Decrypt operations. The key must still allow account administrators to manage the key (update policy, schedule deletion). What is the correct way to enforce this decrypt restriction?
Reviewed for accuracy · Report an issueNext question