🔥 3-day streak
AWS Certified CloudOps Engineer - Associate107 / 159
Question 107 of 159

A company stores sensitive data in an S3 bucket in Account A, encrypted with a customer managed AWS KMS key. An application running on EC2 instances in Account B must read and decrypt these objects. The bucket policy already grants Account B's IAM role s3:GetObject. However, the application receives an AccessDenied error when attempting to download objects. What must the CloudOps engineer do to resolve this while following least-privilege best practices?

Reviewed for accuracy · Report an issueNext question