Amazon SOA-C02: AWS Certified SysOps Administrator - Associate Exam | S3 Bucket Security Guidelines

S3 Bucket Security Guidelines

Prev Question Next Question

Question

A start-up firm has created an S3 bucket “test_bucket”

The contents of this bucket should be accessible only by user ABC in AWS account 123456789012

Which of the following S3 bucket policy statements should be applied to meet security guidelines for the least privileges?

Answers

A. { "Version": "2012-10-17", "Statement":[{ "Effect": "Allow", "Action": "s3:*", "Resource": ["arn:aws:s3:::*"] }] }

B. { "Version": "2012-10-17", "Statement":[{ "Effect": "Allow", "Action": "s3:*", "Resource": ["arn:aws:s3:::test_bucket", "arn:aws:s3:::test_bucket/*"] }] }

C. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::123456789012:user/ABC"] }, "Action": "s3:*", "Resource": ["arn:aws:s3:::*"] }] }

D. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::123456789012:user/ABC"] }, "Action": "s3:*", "Resource": ["arn:aws:s3:::test_bucket", "arn:aws:s3:::test_bucket/*"] }] }

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - D.

Options A & B are incorrect because the bucket policy needs the "Principal" field to indicate which IAM identities can use this policy.

Option C is incorrect because this bucket policy grants full access to user ABC to all S3 buckets.

However, the user only needs to access “test_bucket”.

Option D is CORRECT because with the bucket policy, the IAM user ABC is only assigned the permissions on “test_bucket”.

For more information on usage guidelines for S3 bucket policy & IAM policy, refer to the following URL-

https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/

The correct answer is option D.

Explanation: The scenario states that a start-up firm has created an S3 bucket named "test_bucket" and the contents of this bucket should only be accessible by user ABC in AWS account 123456789012. This means that we need to create a bucket policy statement that will allow access only to the specified user in the given AWS account.

Option A is incorrect because it grants access to all S3 resources in the account. This policy statement would allow any user or service in the account to access any S3 resource, which is not what the scenario requires.

Option B is incorrect because it grants access to all resources in the "test_bucket" S3 bucket. This policy statement would allow any user or service to access the contents of the "test_bucket" S3 bucket, which is also not what the scenario requires.

Option C is incorrect because it grants access to all S3 resources in the account for the specified user. This policy statement would allow the specified user to access all S3 resources in the account, which is again not what the scenario requires.

Option D is the correct answer because it grants access only to the specified user in the given AWS account for the "test_bucket" S3 bucket. This policy statement would allow only the specified user in the given AWS account to access the contents of the "test_bucket" S3 bucket and not any other S3 resource in the account.

Therefore, option D is the correct answer as it meets the security guidelines for the least privileges.

Note: It is always a best practice to grant the least privileges required to perform a specific action or task.

Prev Question Next Question