An Amazon EC2 instance is denied access to a newly created AWS KMS CMK used for decrypt actions. The environment has the following configuration: The instance is allowed the kms:Decrypt action in its IAM role for all resources The AWS KMS CMK status is set to enabled The instance can communicate with the KMS API using a configured VPC endpoint What is causing the issue?
A. The kms:GenerateDataKey permission is missing from the EC2 instance’s IAM role
B. The ARN tag on the CMK contains the EC2 instance’s ID instead of the instance’s ARN
C. The kms:Encrypt permission is missing from the EC2 IAM role
D. The KMS CMK key policy that enables IAM user permissions is missing
Correct answer A
https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html
To decrypt data outside of AWS KMS:
Use the Decrypt operation to decrypt the encrypted data key. The operation returns a plaintext copy of the data key.
Use the plaintext data key to decrypt data outside of AWS KMS, then erase the plaintext data key from memory.
Cross-account use: Yes. To perform this operation with a KMS key in a different AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
Required permissions: kms:GenerateDataKey (key policy)