An application is running on Amazon EC2. It has an attached IAM role that is receiving an AccessDenied error while trying to access a SecureString parameter resource in the AWS Systems Manager Parameter Store. The SecureString parameter is encrypted with a customer-managed Customer Master Key (CMK),
What steps should the DevOps Engineer take to grant access to the role while granting least privilege? (Select three.)
A. Set ssm:GetParamter for the parameter resource in the instance role’s IAM policy.
B. Set kms:Decrypt for the instance role in the customer-managed CMK policy.
C. Set kms:Decrypt for the customer-managed CMK resource in the role’s IAM policy.
D. Set ssm:DecryptParameter for the parameter resource in the instance role IAM policy.
E. Set kms:GenerateDataKey for the user on the AWS managed SSM KMS key.
F. Set kms:Decrypt for the parameter resource in the customer-managed CMK policy.