A company has an application workflow in which an AWS Lambda function downloads and decrypts files from Amazon S3. The files are encrypted with AWS Key Management Service (AWS KMS) keys. A solutions architect needs to ensure the correct permissions are set. Which combination of actions accomplishes this? (Choose two.)
Choose an answer
Tap an option to check your answer.
Correct answer: Grant the decrypt permission for the Lambda IAM role in the KMS key's policy., Create a new IAM role with the kms:decrypt permission and attach that role to the Lambda function as its execution role..
Why this is the answer
To allow a Lambda function to decrypt KMS-encrypted S3 objects, two primary permission configurations are needed. First, the Lambda function requires an execution role with the kms:Decrypt permission. This is achieved by creating a new IAM role with this permission and attaching it to the Lambda function. Second, the KMS key itself must permit the Lambda function's IAM role to perform decryption. This is done by explicitly granting the kms:Decrypt permission to the Lambda IAM role within the KMS key's policy. Both steps are crucial: the Lambda role needs permission to request decryption, and the KMS key needs to allow that specific role to decrypt. Attaching kms:decrypt to the Lambda function's resource policy is incorrect because resource policies define permissions for other AWS services to invoke or interact with the Lambda function, not for the Lambda function itself to access other services. Granting decrypt permission for the Lambda resource policy in the KMS key's policy is also incorrect as KMS key policies grant permissions to IAM principals (users, roles), not to resource policies of other services.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed