🔥 3-day streak
AWS Certified Security - Specialty109 / 184
Question 109 of 184
A company runs a data ingestion service on EC2 that must encrypt objects before uploading them to S3 using a customer managed KMS key. A separate analytics service, running under a different IAM role, must be able to read and decrypt those objects. Security requires that the ingestion role can only encrypt (never decrypt) and the analytics role can only decrypt (never encrypt), enforced at the key. Which approach meets these requirements with least privilege?
Reviewed for accuracy · Report an issueNext question