A Lambda function needs to decrypt data encrypted with a customer managed KMS key. Which two permissions are commonly required?
Correct for the stated requirement.
Why this answer
Option A is correct because the Lambda function must have permission to call the kms:Decrypt action on the specific customer managed KMS key to decrypt the data. This permission is granted via a key policy or a grant on the KMS key itself, allowing the Lambda execution role to use the key for decryption operations.
Exam trap
The trap here is that candidates often confuse IAM actions (like iam:CreateUser or s3:PutBucketAcl) with KMS-specific permissions, or they forget that the Lambda execution role needs both the IAM policy and the key policy to allow kms:Decrypt.