You’re planning to use Kinesis Data Firehose. The data would be sent to an S3 bucket. The data would be encrypted at rest using a KMS key. You need to create an IAM role with suitable IAM policies to grant Kinesis Data Firehose access to the S3 bucket. Which of the following permissions need to be included in the IAM policies? (Select TWO.)

Answer options:

A.Kms:Decrypt
B.Kms:Import-key-material
C.Kms:GenerateCustomerKey
D.Kms:GenerateDataKey

Answer – A and D
If Kinesis Firehose needs to access an S3 bucket where encryption is enabled using KMS, the following permissions need to be included in the IAM policies.
Since the documentation clearly mentions what access needs to be given, the other options are invalid.
For more information on controlling access, please refer to the below URL
https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-s3