Courseiva
SAA-C03
Full test
mediummultiple choiceObjective-mapped

An application encrypts data directly with AWS KMS using an encryption context. Your KMS key policy includes a condition that allows kms:Decrypt only when the encryption context contains: "purpose" = "myapp-secrets" After a deployment, decryption fails. CloudTrail shows kms:Decrypt was called, but it was denied by the key policy due to the encryption context condition. What is the best fix?

Question 1mediummultiple choice
Full question →

An application encrypts data directly with AWS KMS using an encryption context. Your KMS key policy includes a condition that allows kms:Decrypt only when the encryption context contains: "purpose" = "myapp-secrets" After a deployment, decryption fails. CloudTrail shows kms:Decrypt was called, but it was denied by the key policy due to the encryption context condition. What is the best fix?

Full question →

Answer choices

Why each option matters

Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.

A

Best answer

Update the application code to supply the correct encryption context "purpose" = "myapp-secrets" when calling decrypt (and encrypt if rotating).

If the KMS key policy enforces an encryption context match, decrypt must provide the same context keys and values used during encryption. Aligning the encryption context fixes policy enforcement without weakening the key policy.

B

Distractor review

Add kms:Decrypt to the IAM role attached to the application without changing the key policy.

IAM permissions alone are insufficient because the key policy also restricts kms:Decrypt using encryption context conditions.

C

Distractor review

Disable the encryption context condition in the KMS key policy to avoid future failures.

Removing the condition weakens the intended security boundary and violates the reason the condition was added in the first place.

D

Distractor review

Rotate the KMS key immediately and re-encrypt all secrets with a different key ID.

Key rotation and re-encryption are disruptive and not required to address a mismatch in the encryption context used for decrypt.

Common exam trap

Common exam trap: ACLs stop at the first match

ACLs are processed top to bottom. The first matching entry wins, and an implicit deny usually exists at the end.

Technical deep dive

How to think about this question

ACL questions test precision: source, destination, protocol, port and direction. A generally correct ACL can still fail if it is applied on the wrong interface or in the wrong direction.

KKey Concepts to Remember

  • Standard ACLs match source addresses.
  • Extended ACLs can match source, destination, protocol and ports.
  • The first matching ACL entry is used.
  • There is usually an implicit deny at the end.

TExam Day Tips

  • Check inbound versus outbound direction.
  • Read the ACL from top to bottom.
  • Look for a broader permit or deny above the intended line.

Related practice questions

Related SAA-C03 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

SAA-C03 VPC practice questions

Practise SAA-C03 questions linked to SAA-C03 VPC.

SAA-C03 S3 lifecycle policy questions

Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.

SAA-C03 RDS Multi-AZ questions

Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.

SAA-C03 IAM policy practice questions

Practise SAA-C03 questions linked to SAA-C03 IAM policy.

SAA-C03 Route 53 failover questions

Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.

SAA-C03 CloudFront practice questions

Practise SAA-C03 questions linked to SAA-C03 CloudFront.

SAA-C03 NAT gateway questions

Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.

SAA-C03 VPC endpoint questions

Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.

SAA-C03 Auto Scaling practice questions

Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.

SAA-C03 disaster recovery questions

Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.

SAA-C03 high availability questions

Practise SAA-C03 questions linked to SAA-C03 high availability questions.

SAA-C03 cost optimization questions

Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.

More questions from this exam

Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.

Question 1

A team needs to distribute TCP traffic (not HTTP) across multiple services. The services must see the original client source IP for auditing. Which AWS load balancer is the best fit?

Question 2

A team wants to run containerized services with AWS-managed orchestration and autoscaling. They do NOT require Kubernetes compatibility. Which AWS service choice is most appropriate to meet these goals?

Question 3

A solutions architect is designing an S3 bucket for a IoT ingestion API. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure? The design must avoid adding custom operational scripts.

Question 4

A solutions architect is designing an S3 bucket for a claims portal. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?

Question 5

A team wants to delegate IAM management to developers, but must ensure developers can never grant themselves permissions beyond a specific limit. Which AWS mechanism best matches this requirement?

Question 6

A solutions architect is designing an S3 bucket for a healthcare document service. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?

FAQ

Questions learners often ask

What does this SAA-C03 question test?

Standard ACLs match source addresses.

What is the correct answer to this question?

The correct answer is: Update the application code to supply the correct encryption context "purpose" = "myapp-secrets" when calling decrypt (and encrypt if rotating). — When an application uses AWS KMS directly and the key policy restricts kms:Decrypt based on encryption context (for example, purpose=myapp-secrets), KMS will only authorize decrypt requests that include the exact required key/value pairs. The IAM role can have kms:Decrypt permission, but the key policy condition will still deny if the encryption context differs. The correct fix is to update the application to supply the same encryption context during decrypt (and during encrypt if new ciphertext is created). This preserves strong cryptographic separation without relaxing KMS controls. Option B fails because key policy conditions are enforced even if IAM allows the action. Option C removes a security control meant to bind ciphertext to a specific use case, increasing risk. Option D is likely unnecessary and costly: the failure is caused by the encryption context mismatch, not by key age or key identity.

What should I do if I get this SAA-C03 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.

Discussion

Loading comments…

Sign in to join the discussion.