AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
An operations engineer must allow an EC2 instance that runs in Account B to download objects from an S3 bucket in Account A. The bucket uses server-side encryption with a customer-managed AWS KMS key that also resides in Account A. The solution must follow least privilege and require no ongoing administration. Which approach satisfies these requirements?
In Account A, update the KMS key policy to allow the instance's IAM role from Account B to use kms:Decrypt, add an S3 bucket policy granting that role s3:GetObject, and attach that role to the EC2 instance in Account B.
Create a cross-account grant on the KMS key that allows the root user of Account B to decrypt the key and rely on the bucket's default ACLs for object access.
In Account B, export a copy of the CMK from Account A, re-encrypt all objects in the bucket with the copied key, and give the instance s3:GetObject permission.
Change the bucket's default encryption to SSE-S3 and add a bucket policy permitting the instance role to call s3:GetObject.
The instance role in Account B needs permission to both read the objects in the bucket and decrypt the data key that protects them.
The KMS key policy in Account A must list the instance role's ARN as an external principal with kms:Decrypt (and related) actions so the role can use the CMK.
A bucket policy in Account A must allow that same role to call s3:GetObject on the required objects. Because the permissions are embedded in the key policy and bucket policy, no long-lived grants or periodic key exports are required, and the principle of least privilege is maintained. Using the root user (distractor B) violates security best practices. Exporting or copying a CMK to another account (distractor C) is not possible. Switching to SSE-S3 (distractor D) removes KMS protection and therefore does not meet the stated requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why does the KMS key policy need to include the instance role's ARN?
Open an interactive chat with Bash
What is the role of the S3 bucket policy in cross-account access?
Open an interactive chat with Bash
Why is exporting or copying a CMK to another account not possible?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Security and Compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .