A developer has an AWS Lambda function that needs to read objects from an S3 bucket in another account. The Lambda function's execution role includes an IAM policy that allows s3:GetObject on the bucket. The bucket owner has added a bucket policy that grants s3:GetObject to the Lambda execution role. However, the Lambda function receives Access Denied errors. The S3 bucket uses SSE-KMS for encryption. What is the most likely cause?
Trap 1: The S3 bucket does not have versioning enabled.
Versioning is not required for read access.
Trap 2: The Lambda function's execution role does not have an explicit…
The question states the role includes an IAM policy that allows s3:GetObject, so this is not the issue.
Trap 3: The Lambda function is not in the same AWS region as the S3 bucket.
Cross-region access is allowed with appropriate permissions, so this is not the cause.
- A
The S3 bucket does not have versioning enabled.
Why wrong: Versioning is not required for read access.
- B
The Lambda function's execution role does not have an explicit allow for s3:GetObject.
Why wrong: The question states the role includes an IAM policy that allows s3:GetObject, so this is not the issue.
- C
The Lambda function is not in the same AWS region as the S3 bucket.
Why wrong: Cross-region access is allowed with appropriate permissions, so this is not the cause.
- D
The Lambda function does not have kms:Decrypt permission on the KMS key used by the bucket.
SSE-KMS requires both S3 read permissions and KMS decrypt permission. The bucket policy does not grant KMS permissions; the KMS key policy must allow the Lambda execution role.