🔥 3-day streak
AWS Certified Solutions Architect - Associate81 / 150
Question 81 of 150
A company uses a customer managed AWS KMS key to encrypt sensitive financial records stored in Amazon S3. The security team wants to ensure that a newly created IAM role used by a nightly batch job can decrypt objects, but only for the duration the job runs, without permanently modifying the KMS key policy or attaching broad IAM permissions. The team also wants the ability to programmatically retire this access when the job completes. Which approach best meets these requirements?
Reviewed for accuracy · Report an issueNext question →