🔥 3-day streak
AWS Certified Security - Specialty86 / 157
Question 86 of 157

A security engineer manages a customer managed KMS key used to encrypt data in a shared analytics pipeline. A short-lived Lambda function, running under a role that is created dynamically for each batch job, must be granted temporary permission to decrypt data with the key. The engineer wants to avoid editing the key policy or IAM policies for every ephemeral role, and wants the permission to be easily and programmatically revocable when the job finishes. Which approach best meets these requirements?

Reviewed for accuracy · Report an issueNext question