A company uses AWS KMS to encrypt data at rest in Amazon S3. The security team wants to ensure that only users with a specific IAM role can decrypt objects. What is the MOST secure way to achieve this?
Key policy controls who can decrypt, bucket policy controls access to the object.
Why this answer
Option C is correct because using a KMS key with a key policy that grants decrypt only to the specific IAM role ensures that only that role can decrypt, while the bucket policy restricts who can access the bucket. Option A is wrong because the bucket policy alone cannot control decryption. Option B is wrong because S3 default encryption does not restrict decryption.
Option D is wrong because KMS automatic key rotation does not control access.