🔥 3-day streak
AWS Certified CloudOps Engineer - Associate109 / 159
Question 109 of 159
A CloudOps engineer is troubleshooting an application running on an EC2 instance that must decrypt objects in an S3 bucket encrypted with a customer managed KMS key. The EC2 instance role has an IAM policy granting kms:Decrypt on the key's ARN, but the application receives an AccessDenied error when calling Decrypt. The KMS key policy contains only the default statement granting the root account full access, plus a statement granting a separate administrator role kms:* permissions. What is the MOST likely cause and the correct fix?
Reviewed for accuracy · Report an issueNext question