A large IT firm is using an Amazon S3 bucket for storing all project documents regularly. As per security guidelines, all these files need to be encrypted using the AWS KMS key. A user from a different account can successfully upload small project files to the S3 bucket. But when the same user tries to upload a large file, he receives the "Access Denied" error. Which of the following check needs to be performed so that the user can upload all files?

Answer options:

A.Check if the user is sending encryption information using AWS KMS for files above size 100 Mb.
B.Check if the user has permission to perform kms:Decrypt action in both key policy & IAM policy for files above 100 Mb.
C.Check if the user has permission to perform kms:Decrypt action in only IAM policy for files above 100 Mb.
D.Check if the user has permission to perform kms:Decrypt action in only key policy for files above 100 Mb.

Correct Answer – B
For large-size files, Amazon S3 automatically performs multipart uploads. While performing multipart uploads, Amazon S3 performs decryption of files & read data from encrypted files to complete multipart uploads. To perform this decryption, IAM users (from a different account)must have kms:Decrypt permission along with other permissions.
Option A is incorrect as even though the user is sending encryption information, the user needs to have additional permission for kms:Decrypt to upload large files successfully.
Options C & D are incorrect as users need to have kms:Decrypt permission in both key policy & IAM policy.
For more information on Amazon S3 encryption, refer to the following URL-
https://aws.amazon.com/premiumsupport/knowledge-center/s3-large-file-encryption-kms-key/