- Request from VPC which is not part of same AWS regions are not allowed.
- Request from different VPCs are not allowed.
- IP address is not listed correctly in the allowed list of IP addresses.
- Selected EC2 instance does not support encrypted EBS volume.
Abs: C
Detailed Explanation: If you don’t have correct knowledge than such options can confuse you and lead to choose wrong answer. In this case Request reaching to KMS to decrypt the volumes encrypted data key comes from the IP address of EC2 instance which does not allow IP addresses other than specified in the Policy Document. You allowed IP addresses from your corporate network but not the IP address of your EC2 instance. Similar issue can occur if you specify VPC based conditions in policy.