Thank you so much for bringing this up to our attention. We have a typo in one of the correct answers and it should say: “…the developer does not include the kms:Decrypt permission.” instead. This will be updated in our practice tests soon.
The scenario is actually based on this official AWS article:
The option that mentions kms:Encrypt is incorrect because the scenario says that the operation is already successful whenever the developer uploads a smaller file. This signifies that the developer already has the kms:Encrypt permission.
Thanks again for letting us know about this issue. As always, feel free to message us if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!