AWS Certified Security - Specialty (#10)

An Amazon S3 bucket is encrypted using an AWS KMS CMK. An IAM user is unable to download objects from the S3 bucket using the AWS Management Console; however, other users can download objects from the S3 bucket. Which policies should the Security Engineer review and modify to resolve this issue? (Select three.)

The CMK policy
The VPC endpoint policy
The S3 bucket policy
The S3 ACL
The IAM policy