A company runs SAP on AWS and uses AWS Backup to back up the SAP HANA database. The backup job fails with an error indicating insufficient IAM permissions. What is the most likely missing permission?
If the backup is encrypted, AWS Backup requires kms:Decrypt to access the key.
Why this answer
AWS Backup requires permissions to decrypt the KMS key used to encrypt the SAP HANA database or its backup target. If the IAM role assigned to AWS Backup lacks the `kms:Decrypt` action for the specific KMS key, the backup job fails with an insufficient IAM permissions error. This is because AWS Backup must read the encrypted data before transferring it to the backup vault.
Exam trap
The trap here is that candidates often assume the missing permission is `s3:PutObject` because backups are stored in S3, but the error occurs before the data is written, during the decryption step when the source is encrypted with a KMS key.
How to eliminate wrong answers
Option A is wrong because `ec2:DescribeInstances` is used to list or describe EC2 instances, not to perform backup operations on SAP HANA databases; it is not required for the backup job itself. Option C is wrong because `rds:CreateDBSnapshot` is specific to Amazon RDS instances, not SAP HANA on EC2, which uses AWS Backup with custom resources or the SAP HANA Backint agent. Option D is wrong because `s3:PutObject` is needed for writing backup data to an S3 bucket, but the error specifically indicates insufficient IAM permissions, and the most common missing permission in encrypted environments is `kms:Decrypt`, not the S3 write action.