🔥 3-day streak
AWS Certified Security - Specialty108 / 184
Question 108 of 184

A financial services company stores encrypted objects in an S3 bucket using an SSE-KMS customer managed key. A newly created AWS Lambda function (assuming an execution role) needs to read and decrypt these objects, but developers report AccessDenied errors on kms:Decrypt even though the Lambda execution role has an identity-based policy granting kms:Decrypt on the key. The KMS key policy currently contains only a statement granting the account root full access. What is the MOST likely cause and the correct fix that follows least privilege?

Reviewed for accuracy · Report an issueNext question