exam questions

Exam AWS Certified Developer Associate All Questions

View all questions & answers for the AWS Certified Developer Associate exam

Exam AWS Certified Developer Associate topic 1 question 125 discussion

Exam question from Amazon's AWS Certified Developer Associate
Question #: 125
Topic #: 1
[All AWS Certified Developer Associate Questions]

A developer has created a new IAM user that has the s3:PutObject permission to write to a specific Amazon S3 bucket. The S3 bucket uses server-side encryption with AWS KMS managed keys (SSE-KMS) as the default encryption. When an application uses the access key and secret key of the IAM user to call the PutObject API operation, the application receives an access denied error.
What should the developer do to resolve this error?

  • A. Update the policy of the IAM user to allow the s3:EncryptionConfiguration action.
  • B. Update the bucket policy of the S3 bucket to allow the IAM user to upload objects.
  • C. Update the policy of the IAM user to allow the kms:GenerateDataKey action.
  • D. Update the ACL of the S3 bucket to allow the IAM user to upload objects.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
colintkn
Highly Voted 2 years, 9 months ago
Selected Answer: C
Answer is C, https://aws.amazon.com/premiumsupport/knowledge-center/s3-access-denied-error-kms/
upvoted 8 times
...
SD_CS
Most Recent 1 year, 5 months ago
Selected Answer: C
During server side encryption S3 will try to generate a unique key from KMS and will not work if the requester IAM role does not have KMS access permissions
upvoted 1 times
...
xdkonorek2
1 year, 7 months ago
Selected Answer: C
Response { "statusCode": 500, "body": "\"Error: An error occurred (AccessDenied) when calling the PutObject operation: User: arn:aws:sts::817861099197:assumed-role/for-test-kms-bucket/test-bucket-kms is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:us-west-2:817861099197:key/bc59a931-0166-497d-a29a-7e12ead61df6 because no identity-based policy allows the kms:GenerateDataKey action\"" }
upvoted 1 times
...
rcaliandro
2 years ago
Selected Answer: C
C is correct, we need AccessDataKey to encrypt at rest and put items on S3
upvoted 1 times
...
sichilam
2 years, 5 months ago
C is the answer
upvoted 1 times
...
robbyboss
2 years, 9 months ago
reference: https://aws.amazon.com/premiumsupport/knowledge-center/s3-access-denied-error-kms/
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...