A developer operations team uses AWS Identity and Access Management (1AM) to manage user permissions...

Understand the Problem:

The EC2 instance profile role has the AWS managedReadOnlyAccesspolicy.

This policy does not include permissions forkms:Decrypt, which is required to decrypt the objects encrypted with a customer-managed KMS key.

Review S3 Bucket Policy and Object Permissions:

Verify that the S3 bucket policy allows access for the IAM role associated with the EC2 instance.

Ensure that there are no conflicting bucket or object ACLs.

Addkms:DecryptPermission:

Attach an inline policy to the EC2 instance IAM role.

This policy should grantkms:Decryptaccess for the specific KMS key used to encrypt the S3 objects.

Example Inline Policy:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": "kms:Decrypt",

"Resource": "arn:aws:kms:::key/"

}

]

}

Test the Configuration:

Attempt to read the file from the encrypted S3 bucket to ensure that the issue is resolved.

AWS KMS Key Policies and Permissions

IAM Permissions for Using AWS KMS Keys