🔥 3-day streak
AWS Certified Security - Specialty100 / 184
Question 100 of 184

A financial services company stores customer records in an S3 bucket encrypted with a customer managed KMS key in Account A. A partner analytics firm operating in Account B must be able to decrypt and read these objects, but must NOT be able to schedule deletion of the key, change the key policy, or create grants on the key. The security team wants to grant the minimum access using the KMS key policy while allowing Account B's own IAM administrators to delegate the decrypt permission to specific roles. Which approach meets these requirements?

Reviewed for accuracy · Report an issueNext question