Review Mode Set 3 – Question 46

[Mert Kose]

I was solving Review Mode Set 3 – AWS Certified Developer Associate exam and didn’t understand one question. It is number 46, where it asks KMS. Although one of the correct answer is “rit;”>The developer does not have the kms:Decrypt permission.” I didn’t understand why. Because in the question, it is stated that user is able to upload a smaller file to S3, meaning he already has kms:Decrypt permission, right? What am I missing?

• This discussion was modified 5 months, 1 week ago by  Mert Kose.

[Nikee-TutorialsDojo]

Hi Mert,

Thanks for posting! Let me explain why it is correct. When you upload a small file, the CLI uses a single PutObject call. With SSE-KMS, S3 only needs to generate and encrypt a new data key. That requires the kms:Encrypt permission, which the developer already has, so the upload succeeds.

When you upload a large file (100 GB+), the CLI automatically switches to multipart upload. In this mode, S3 has to handle multiple parts of the object. To reuse the same data key across those parts, S3 needs to decrypt the key during the upload process. That’s where the kms:Decrypt permission becomes necessary.

So in short: small uploads only need kms:Encrypt , while large multipart uploads need both kms:Encrypt and kms:Decrypt. If the developer is missing kms:Decrypt , smaller files will still upload fine, but larger multipart uploads will fail with “Access Denied.”

That’s why “The developer does not have the kms:Decrypt permission” is a correct answer; it explains why the failure only occurs on large files and not on smaller ones.

Thanks again for pointing it out — your feedback helps improve the exam content.

Regards,

Nikee @ Tutorials Dojo