You have a Jenkins server deployed in EC2. One Jenkins pipeline is used to build artifacts. It needs to fetch some source files from an S3 bucket which is encrypted with a Customer Master Key (CMK) in KMS. The pipeline was working fine. However, it suddenly stopped working early this week. You have found that the Jenkins task failed to decrypt the S3 data using the CMK. Which one may be the cause of the failure?

Answer options:

A.The secret access key and access key token have expired for the Jenkins EC2 IAM user.
B.The key policy of the CMK was added with a ViaService condition for EC2 service.
C.The key policy of the CMK was recently modified with a deny for the IAM role that Jenkins EC2 is using.
D.An SCP policy was added in the Organization which allows kms:encryption operation for EC2 resources.

Correct Answer – C
Users should check if the IAM role can use the CMK in both the IAM policy and key policy. At least there should be an allow in either policy, and there should not be any explicit deny.
Option A is incorrect: Because the Jenkins EC2 should use an IAM role instead of an IAM user. IAM roles do not have the issue of token expire.
Option B is incorrect: Because the ViaService condition for EC2 service would allow the key usage for EC2 instances so that it should not cause the issue.
Option C is CORRECT: Because an explicit deny will disallow the key to be used by the Jenkins server. That may be a cause of the failure.
Option D is incorrect: Because the kms:encryption allows in-service control policy (SCP) should not result in this failure.