Q12 — AWS SCS-C02 Ch.1

Question 12 of 100 | ← Chapter 1

/p> A company has an application that needs to get objects from an Amazon S3 bucket. The application runs on Amazon EC2 instances.  All the objects in the S3 bucket are encrypted with an AWS Key Management Service (AWS KMS) customer managed key. The resources in the  VPC do not have access to the internet and use a gateway VPC endpoint to access Amazon S3.  The company discovers that the application is unable to get objects from the S3 bucket.  Which factors could cause this issue? (Choose three.)

Correct Answer: A. The IAM instance profile that is attached to the EC2 instances does not allow the s3:ListBucket action for the S3 bucket, D. The KMS key policy that encrypts the objects in the S3 bucket does not allow the kms:Decrypt action to the EC2 instance pro, E. The S3 bucket policy does not allow access from the gateway VPC endpoint

Explanation

AWS KMS密钥策略需要授权EC2实例配置文件执行kms:Decrypt操作以解密对象。IAM实例配置文件缺少s3:ListBucket权限会导致无法列出存储桶内容。S3存储桶策略未明确允许通过网关VPC端点的访问将导致请求被拒绝。选项A涉及IAM权限不足,D涉及KMS解密权限缺失,E涉及存储桶策略与VPC端点不兼容。选项C的kms:ListKeys动作不影响解密操作。选项F中网关VPC端点不需要安全组入站规则,仅接口端点需要。B的ListParts动作与普通对象读取无关。参考AWS文档中关于S3权限、KMS密钥策略及VPC端点的访问控制部分。