🔥 3-day streak
AWS Certified Security - Specialty85 / 157
Question 85 of 157
A company encrypts objects in an S3 bucket in Account A using a customer managed KMS key. A data-processing application running under an IAM role in Account B must be able to decrypt these objects. The security team wants to grant this access following least privilege, allow the permission to be temporary, and enable it to be programmatically revoked when the processing job completes — without editing the KMS key policy or the S3 bucket policy each time. Which approach best meets these requirements?
Reviewed for accuracy · Report an issueNext question