ExamGecko
Question list
Search
Search

List of questions

Search

Related questions











Question 144 - SCS-C02 discussion

Report
Export

A company has an AWS account that includes an Amazon S3 bucket. The S3 bucket uses server-side encryption with AWS KMS keys (SSE-KMS) to encrypt all the objects at rest by using a customer managed key. The S3 bucket does not have a bucket policy.

An IAM role in the same account has an IAM policy that allows s3 List* and s3 Get' permissions for the S3 bucket. When the IAM role attempts to access an object in the S3 bucket the role receives an access denied message.

Why does the IAM rote not have access to the objects that are in the S3 bucket?

A.
The IAM rote does not have permission to use the KMS CreateKey operation.
Answers
A.
The IAM rote does not have permission to use the KMS CreateKey operation.
B.
The S3 bucket lacks a policy that allows access to the customer managed key that encrypts the objects.
Answers
B.
The S3 bucket lacks a policy that allows access to the customer managed key that encrypts the objects.
C.
The IAM rote does not have permission to use the customer managed key that encrypts the objects that are in the S3 bucket.
Answers
C.
The IAM rote does not have permission to use the customer managed key that encrypts the objects that are in the S3 bucket.
D.
The ACL of the S3 objects does not allow read access for the objects when the objects ace encrypted at rest.
Answers
D.
The ACL of the S3 objects does not allow read access for the objects when the objects ace encrypted at rest.
Suggested answer: C

Explanation:

When using server-side encryption with AWS KMS keys (SSE-KMS), the requester must have both Amazon S3 permissions and AWS KMS permissions to access the objects. The Amazon S3 permissions are for the bucket and object operations, such as s3:ListBucket and s3:GetObject. The AWS KMS permissions are for the key operations, such as kms:GenerateDataKey and kms:Decrypt. In this case, the IAM role has the necessary Amazon S3 permissions, but not the AWS KMS permissions to use the customer managed key that encrypts the objects. Therefore, the IAM role receives an access denied message when trying to access the objects. Verified

Reference:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/troubleshoot-403-errors.html

https://repost.aws/knowledge-center/s3-access-denied-error-kms

https://repost.aws/knowledge-center/cross-account-access-denied-error-s3

asked 16/09/2024
Kohsuke Shimizu
35 questions
User
Your answer:
0 comments
Sorted by

Leave a comment first