🔥 3-day streak
AWS Certified Developer - Associate85 / 150
Question 85 of 150

A developer manages a customer managed KMS key in Account A that encrypts objects in an S3 bucket. A Lambda function running in Account B must decrypt those objects. The developer has already added an IAM policy to the Lambda execution role in Account B allowing kms:Decrypt on the key ARN, but the function still receives an AccessDeniedException from KMS. What is the MOST likely cause and correct fix?

Reviewed for accuracy · Report an issueNext question