nerdexam
Amazon

DVA-C02 · Question #154

A developer is creating an application for a company. The application needs to read the file doc.txt that is placed in the root folder of an Amazon S3 bucket that is named DOC-EXAMPLE- BUCKET. The com

The correct answer is A. { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/doc.txt" }. Option A correctly applies the principle of least privilege by granting only the minimum required permission (s3:GetObject) to access only the specific resource needed (the exact file doc.txt in the specified bucket). This means the application can read that one file and nothing

Submitted by jakub_pl· Mar 5, 2026Security, Identity, and Compliance - Implement least privilege access using IAM policies with appropriate actions and resource ARNs

Question

A developer is creating an application for a company. The application needs to read the file doc.txt that is placed in the root folder of an Amazon S3 bucket that is named DOC-EXAMPLE- BUCKET. The company's security team requires the principle of least privilege to be applied to the application's IAM policy. Which IAM policy statement will meet these security requirements? A. B. C. D.

Exhibits

DVA-C02 question #154 exhibit 1
DVA-C02 question #154 exhibit 2

Options

  • A{ "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/doc.txt" }
  • B{ "Action": [ "s3:" ], "Effect": "Allow", "Resource": "" }
  • C{ "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" }
  • D{ "Action": [ "s3:*" ], "Effect": "Allow", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/doc.txt" }

How the community answered

(51 responses)
  • A
    94% (48)
  • B
    2% (1)
  • C
    4% (2)

Explanation

Option A correctly applies the principle of least privilege by granting only the minimum required permission (s3:GetObject) to access only the specific resource needed (the exact file doc.txt in the specified bucket). This means the application can read that one file and nothing else, which is exactly what the requirements demand.

Topics

#IAM Policies#Least Privilege#S3 Access Control#Resource-Based Permissions

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice