🔥 3-day streak
AWS Certified Security - Specialty110 / 184
Question 110 of 184

A financial services company uses a customer managed KMS key to encrypt sensitive datasets in S3. A data-processing application running on EC2 assumes an IAM role that needs to decrypt objects only during a nightly batch window. The security team wants to grant the least-privileged, time-scoped decrypt access without editing the KMS key policy each time, and they want the ability to revoke access programmatically the moment the batch completes. Which approach best meets these requirements?

Reviewed for accuracy · Report an issueNext question