🔥 3-day streak
AWS Certified Developer - Associate86 / 150
Question 86 of 150
A developer builds a Lambda function that must decrypt objects using a specific customer managed KMS key in the same account. The function's execution role already has an identity-based policy granting kms:Decrypt on that key ARN. However, invocations fail with an AccessDeniedException when calling Decrypt. The KMS key's key policy contains only the default statement granting the root account 'kms:*' but no other statements. What is the MOST likely cause and the correct fix?
Reviewed for accuracy · Report an issueNext question