Comprehensive and Detailed Explanation (AWS Verified – 250–300 Words)
When an Amazon S3 bucket is configured with default encryption using SSE-KMS, AWS Key Management Service (KMS) plays an active role in every PutObject request. Although the IAM user already has the s3:PutObject permission, this alone is not sufficient when SSE-KMS is enabled.
According to AWS documentation, when a client uploads an object to an S3 bucket encrypted with SSE-KMS, Amazon S3 must call AWS KMS on behalf of the caller to generate a unique data encryption key. This operation requires the kms:GenerateDataKey permission on the KMS key used for encryption. If this permission is missing, the PutObject request fails with an Access Denied error—even though S3 permissions appear correct.
AWS explicitly states that IAM principals uploading objects to SSE-KMS–encrypted buckets must be allowed to use the KMS key. At a minimum, the following KMS permissions are required:
kms:GenerateDataKey
(Implicitly) access allowed by the KMS key policy
Option C correctly resolves the issue by granting the IAM user permission to generate a data key via AWS KMS, enabling successful encryption during the upload process.
Option A is invalid because s3:EncryptionConfiguration is not required for object uploads.
Option B is unnecessary because the IAM user already has s3:PutObject.
Option D is incorrect because ACLs are not used to control KMS encryption permissions and are discouraged by AWS best practices.
Submit