A data engineer needs to share an S3 bucket with another AWS account. They want to ensure that the objects in the bucket remain encrypted with SSE-KMS using a customer managed key. What additional step is required for cross-account access?
The KMS key policy must allow the target account to use the key for decryption.
Why this answer
When using SSE-KMS with a customer managed key, the key policy must grant the target account's IAM role or user permission to use the key. S3 bucket policy and IAM permissions are also required, but the key policy is the additional step specific to KMS. Option A is wrong because the bucket policy alone does not grant KMS permissions.
Option B is wrong because the target account's IAM policy alone cannot override the key policy. Option D is wrong because disabling encryption is not required.