🔥 3-day streak
AWS Certified Security - Specialty56 / 157
Question 56 of 157

A company runs a KMS-encrypted S3 bucket in account A (111111111111). A data-processing application running on an EC2 instance in account B (222222222222) uses an IAM role to read objects. The security team confirms the S3 bucket policy in account A grants s3:GetObject to the account B role's ARN, and the KMS key policy in account A grants kms:Decrypt to the same role ARN. However, the application receives AccessDenied errors when downloading objects. The IAM role in account B currently has no attached identity-based policy for S3 or KMS. What must be changed to allow the download to succeed?

Reviewed for accuracy · Report an issueNext question