A company’s security engineer has configured a client account to capture AWS CloudTrail logs that are then sent to an Amazon S3 bucket. The S3 bucket that stores these CloudTrail logs has always been configured to use AWS Key Management Service (AWS KMS) with the default KMS key (aws/s3) for encryption. Recently, the company changed the key on the S3 bucket to a new KMS key. Since the modification of the bucket key, the security engineer cannot retrieve new CloudTrail log files that are written to the S3 bucket. The security engineer receives the following error message: “An error occurred (AccessDenied) when calling the GetObject operation: Access Denied”. Log files that were written to the S3 bucket before the bucket key was changed are still accessible. The company used the new KMS key to encrypt other S3 buckets, and the same error is occurring with those S3 buckets. What is the MOST likely cause of this error?

Topic #: - All AWS Certified Security - Specialty Questions

A. The security engineer’s IAM user does not have encrypt and decrypt permissions for the new KMS key. Most Voted
B. The security engineer’s IAM user does not have administrative permissions for the new KMS key.
C. The S3 bucket policy needs modification to allow users to access objects that are encrypted with the new KMS key.
D. The S3 bucket policy needs modification to allow the security engineer’s IAM user to access objects in the S3 bucket.

- Awsexamhub website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Suggested Answer:

Share this post

Join the Discussion