Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 145 discussion

To resolve the IAM access issue, the administrator should ensure that the IAM role has the necessary permissions to decrypt the encrypted files in the S3 bucket. Since the files are encrypted, the role needs kms:Decrypt permissions to access them. Therefore, the correct answer is C. Attaching an inline policy with kms:Decrypt permissions to the IAM role will allow the application running on the EC2 instance to read the encrypted files from the S3 bucket. Option A is not ideal because editing the AWS managed ReadOnlyAccess policy is not possible. Option B is unnecessary because the S3 bucket policy already allows access. Option D is too broad and grants more permissions than needed, which is not a best practice for security.

C is correct.

C is correct, ReadOnlyAccess is a administer policy by AWS, can't edit.

B es correct, ReadOnlyAccess is a administer policy by AWS, can't edit.

C is correct, cant edit an AWS managed policy. Need to create a new inline policy

C A. Edit ReadOnlyAccess Policy: Modifying the ReadOnlyAccess policy to include kms:Decrypt actions would grant these permissions to any role or user attached to that policy. This might be more permissive than necessary and could introduce security risks if the policy is used elsewhere. B. Add Role to S3 Bucket Policy: While adding the EC2 instance profile role to the S3 bucket policy would allow access, it bypasses IAM role-based access control and couples the policy directly to the instance role. This approach is less flexible and doesn't leverage the benefits of IAM roles for managing access. D. Attach Policy with S3: Permissions:* Granting S3:* permissions through an inline policy would provide excessive access to the application. It's essential to follow the principle of least privilege and only grant the necessary kms:Decrypt permissions for the specific KMS key used for encryption.