SCS-C02 · Question #72
SCS-C02 Question #72: Real Exam Question with Answer & Explanation
Sign in or unlock SCS-C02 to reveal the answer and full explanation for question #72. The question stem and answer options stay visible for context.
Question
A company's security engineer has configured a client account to capture AWS CloudTrail logs that are then sent to an Amazon S3 bucket. The S3 bucket that stores these CloudTrail logs has always been configured to use AWS Key Management Service (AWS KMS) with the default KMS key (aws/s3) for encryption. Recently, the company changed the key on the S3 bucket to a new KMS key. Since the modification of the bucket key, the security engineer cannot retrieve new CloudTrail log files that are written to the S3 bucket. The security engineer receives the following error message: "An error occurred (AccessDenied) when calling the GetObject operation: Access Denied". Log files that were written to the S3 bucket before the bucket key was changed are still accessible. The company used the new KMS key to encrypt other S3 buckets, and the same error is occurring with those S3 buckets. What is the MOST likely cause of this error?
Options
- AThe security engineer's IAM user does not have encrypt and decrypt permissions for the new
- BThe security engineer's IAM user does not have administrative permissions for the new KMS key.
- CThe S3 bucket policy needs modification to allow users to access objects that are encrypted with
- DThe S3 bucket policy needs modification to allow the security engineer's IAM user to access
Unlock SCS-C02 to see the answer
You've previewed enough free SCS-C02 questions. Unlock SCS-C02 for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.