🔥 3-day streak
AWS Certified Solutions Architect - Associate79 / 150
Question 79 of 150

A company runs a data-processing Lambda function that must temporarily decrypt objects using a customer managed KMS key owned by a separate analytics team. The analytics team wants to allow the Lambda's execution role to decrypt for the duration of a batch job without permanently editing the KMS key policy, and they want the ability to revoke the permission programmatically when the job completes. Which approach best meets these requirements?

Reviewed for accuracy · Report an issueNext question →