🔥 3-day streak
AWS Certified Security - Specialty113 / 184
Question 113 of 184
A data engineering team stores analytics output in an S3 bucket encrypted with a customer managed KMS key. An IAM role used by a Glue job has an identity-based policy granting kms:Decrypt and kms:GenerateDataKey on the key's ARN, plus full S3 access to the bucket. The Glue job fails with an AccessDenied error when writing encrypted objects. The KMS key policy contains only the default statement granting the account root full access, and no additional statements. Why is the job failing, and what is the minimal correct fix?
Reviewed for accuracy · Report an issueNext question