-
Hi Mert,
Thanks for posting! Let me explain why it is correct. When you upload a small file, the CLI uses a single PutObject call. With SSE-KMS, S3 only needs to generate and encrypt a new data key. That requires the kms:Encrypt permission, which the developer already has, so the upload succeeds.
When you upload a large file (100 GB+), the CLI automatically switches to multipart upload. In this mode, S3 has to handle multiple parts of the object. To reuse the same data key across those parts, S3 needs to decrypt the key during the upload process. That’s where the kms:Decrypt permission becomes necessary.
So in short: small uploads only need kms:Encrypt , while large multipart uploads need both kms:Encrypt and kms:Decrypt. If the developer is missing kms:Decrypt , smaller files will still upload fine, but larger multipart uploads will fail with “Access Denied.”
That’s why “The developer does not have the kms:Decrypt permission” is a correct answer; it explains why the failure only occurs on large files and not on smaller ones.
Thanks again for pointing it out — your feedback helps improve the exam content.
Regards,
Nikee @ Tutorials Dojo
