🔥 3-day streak
AWS Certified Security - Specialty95 / 184
Question 95 of 184
A company runs a data-processing Lambda function that must decrypt objects protected by a customer managed KMS key only during a nightly batch job. The security team wants to grant the Lambda execution role temporary, least-privilege decrypt access without modifying the key policy each time and without leaving standing permissions that must be manually removed. The key policy already delegates permissions management to IAM. Which approach best meets these requirements?
Reviewed for accuracy · Report an issueNext question