ExpertAWS SAP-C02 · Question 20 · Domain 1.4: Multi-Account Environment
An enterprise has a central logging account where all AWS CloudTrail logs from 100 member accounts are stored in a single S3 bucket. The security team needs to query these logs using Amazon Athena. However, they are encountering KMS decryption errors when Athena tries to read the logs. The S3 bucket is encrypted with an AWS KMS Customer Managed Key (CMK). What is the MOST likely cause of the error?
An enterprise has a central logging account where all AWS CloudTrail logs from 100 member accounts are stored in a single S3 bucket. The security team needs to query these logs using Amazon Athena. However, they are encountering KMS decryption errors when Athena tries to read the logs. The S3 bucket is encrypted with an AWS KMS Customer Managed Key (CMK). What is the MOST likely cause of the error?
Answer options:
CloudTrail does not support KMS encryption for organization trails.
The Athena execution role lacks the s3:GetObject permission for the bucket.
The KMS key policy does not grant the Athena execution role the kms:Decrypt permission.
Athena cannot query data encrypted with a Customer Managed Key; it requires an AWS Managed Key.
How to approach this question
Full Answer
Common mistakes
Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 4
75 questions · hints · full answers · grading