A Glue job fails with an AccessDenied error when trying to write to the S3 bucket my-data-lake. The IAM policy attached to the job role is shown in the exhibit. What is the MOST likely reason for the failure?
SSE-KMS requires kms:Decrypt and kms:GenerateDataKey permissions, which are missing.
Why this answer
The policy allows s3:PutObject on the bucket, so write access seems granted. However, if the bucket is encrypted with SSE-KMS, the job also needs kms:Decrypt and kms:GenerateDataKey permissions. The policy does not include KMS actions.
The bucket policy might also deny, but the most common issue is KMS encryption.