🔥 3-day streak
AWS Certified Solutions Architect - Associate80 / 150
Question 80 of 150

A company stores sensitive reports in an S3 bucket in Account A, encrypted with a customer managed AWS KMS key. A partner team operating in Account B needs to read and decrypt these objects using an IAM role. The S3 bucket policy and the IAM role in Account B have both been configured to allow the required S3 and KMS actions, but the partner still receives an AccessDenied error when downloading objects. What must the solutions architect do to resolve the issue while following least-privilege principles?

Reviewed for accuracy · Report an issueNext question →