Question #625
A solutions architect implemented client-side encryption using a customer master key (CMK) from AWS Key Management Service (KMS) for objects stored in a new Amazon S3 bucket. The solutions architect created an IAM policy and attached it to an IAM role. During testing, uploading new objects to the S3 bucket was successful, but attempts to download existing objects resulted in an error stating the action was forbidden. Which action must the solutions architect add to the IAM policy to resolve this issue?
kms:Decrypt
kms:Encrypt
kms:GetParametersForImport
kms:Verify
Explanation
When using client-side encryption with AWS KMS, decrypting objects requires the kms:Decrypt permission on the CMK. Uploading objects uses kms:Encrypt (or kms:GenerateDataKey), which was already permitted. However, downloading requires decryption, which was missing in the IAM policy.
Key Points:
1. Client-side encryption: Data is encrypted/decrypted locally using a data key protected by a KMS CMK.
2. Upload: Requires kms:Encrypt or kms:GenerateDataKey to create a data key.
3. Download: Requires kms:Decrypt to retrieve and decrypt the data key.
4. Other options (B, C, D) relate to encryption, key import, or signatures, which are irrelevant to decryption.
Answer
The correct answer is: A