A company is designing a data protection strategy for its Amazon S3 bucket that stores sensitive customer data. The bucket must be encrypted at rest using a customer managed key (CMK) that is stored in AWS KMS. The company also needs to ensure that only authorized users can decrypt objects. Which TWO actions should the company take?
Key policy controls access to the key.
Why this answer
To control decryption access, you need to grant kms:Decrypt permission to authorized users and restrict the key policy accordingly. Option B and D are correct because they control access to the key. Option A is incorrect because a bucket policy alone cannot control decryption; it works with the key policy.
Option C is incorrect because SSE-KMS uses KMS keys, not SSE-C. Option E is incorrect because S3 does not support IAM conditions for VPC endpoint on decryption.