Account 3000 owns a customer-managed KMS key (key-K). A data processing team in account 4000 needs to decrypt data encrypted with key-K. The role in account 4000 already has an identity policy allowing kms:Decrypt on key-K. Despite this, decrypt requests fail with an AccessDenied error referencing KMS. What is the most likely missing authorization step?
For customer-managed KMS keys, key policy is a required authorization layer. Even with an IAM identity policy granting kms:Decrypt, KMS will deny the request unless the key policy also authorizes the calling principal to use the key for Decrypt.
Why this answer
The correct answer is A because KMS key policies are resource-based policies that must explicitly grant cross-account access. Even though the role in account 4000 has an identity-based policy allowing kms:Decrypt, the key policy in account 3000 (the key owner) must also include a statement that permits the specific role principal from account 4000 to perform kms:Decrypt on key-K. Without this, the KMS service will deny the request due to the lack of a valid authorization path.
Exam trap
The trap here is that candidates assume identity-based policies alone are sufficient for cross-account KMS operations, forgetting that KMS requires an explicit resource-based policy (key policy) grant for the external principal.
How to eliminate wrong answers
Option B is wrong because the S3 bucket policy controls access to S3 objects, not KMS key permissions; the error is specifically from KMS, not S3. Option C is wrong because enabling AWS managed key rotation is not applicable to customer-managed keys (CMKs) and removing the key policy would break all existing permissions, not fix the cross-account issue. Option D is wrong because KMS supports both IAM roles and IAM users as principals; the problem is the missing key policy, not the principal type.