The exhibit shows an IAM policy attached to a Lambda function's execution role. When the Lambda function tries to decrypt data using the KMS key, it receives an access denied error. What is the most likely cause?
Even if the IAM policy allows, the key policy must also allow; this is a common misconfiguration.
Why this answer
The policy grants kms:Decrypt but not kms:DescribeKey. However, the error is likely due to the Lambda function not having permission to call kms:Decrypt because the key's key policy might not grant the Lambda role. The key policy must explicitly allow the Lambda role to use the key.
Option A is wrong because kms:Decrypt is included. Option B is wrong because it's not about kms:DescribeKey. Option C is wrong because the action list is correct.
Option D is correct: the key policy must grant access to the Lambda role.