-
access denied s3 cli copy scenario
updated 3 years, 12 months ago
2 Members
·
2
Posts
-
Security speciality (sampler) question about the ’aws s3 cp’ scenario with the 10GB file.
Question asks for potential reasons causing the ‘access denied’ error.
One of the answers states:”The IAM policy of the developer does include the kms:Decrypt permission.”
Isn’t a ’not’ missing here?
As in the explanation you mentioned you need encrypt/decrypt/reencrypt/generatedatakey/describekey actions
which would also make the answer
’The kms:Encrypt permission is missing from the IAM policy of the developers.’
be correct?
Or am I missing something here?
Cheers,
Robert
-
Hi Robert,
Thank you so much for bringing this up to our attention. We have a typo in one of the correct answers and it should say: “…the developer does not include the kms:Decrypt permission.” instead. This will be updated in our practice tests soon.
The scenario is actually based on this official AWS article:
https://aws.amazon.com/premiumsupport/knowledge-center/s3-large-file-encryption-kms-key/
The option that mentions kms:Encrypt is incorrect because the scenario says that the operation is already successful whenever the developer uploads a smaller file. This signifies that the developer already has the kms:Encrypt permission.
Thanks again for letting us know about this issue. As always, feel free to message us if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!
Regards,
Jon Bonso @ Tutorials Dojo
Log in to reply.