🔥 3-day streak
AWS Certified Security - Specialty107 / 184
Question 107 of 184

A security engineer must ensure that an application's KMS customer managed key can only be used to decrypt data when the request originates from Amazon S3 on behalf of the application, and never through direct KMS API calls by IAM principals. The engineer wants to enforce this using the key policy while still allowing S3 to transparently decrypt objects. Which key policy condition most precisely achieves this requirement?

Reviewed for accuracy · Report an issueNext question