nerdexam
Amazon

DVA-C02 · Question #251

A company has an online web application that includes a product catalog. The catalog is stored in an Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET. The application must be able to list the objects

The correct answer is A. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET" }, { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" } ] }. Option A is correct because it grants exactly the two permissions required - s3:ListBucket on the bucket resource (arn:aws:s3:::DOC-EXAMPLE-BUCKET) to list objects, and s3:GetObject on the bucket's objects (arn:aws:s3:::DOC-EXAMPLE-BUCKET/*) to download them - and nothing more. T

Submitted by devops_kid· Mar 5, 2026Security, Identity, and Compliance - IAM policy design and principle of least privilege for S3 access

Question

A company has an online web application that includes a product catalog. The catalog is stored in an Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET. The application must be able to list the objects in the S3 bucket and must be able to download objects through an IAM policy. Which policy allows MINIMUM access to meet these requirements? A. B. C. D.

Exhibits

DVA-C02 question #251 exhibit 1
DVA-C02 question #251 exhibit 2
DVA-C02 question #251 exhibit 3
DVA-C02 question #251 exhibit 4
DVA-C02 question #251 exhibit 5
DVA-C02 question #251 exhibit 6
DVA-C02 question #251 exhibit 7
DVA-C02 question #251 exhibit 8

Options

  • A{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET" }, { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" } ] }
  • B{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET" }, { "Effect": "Allow", "Action": [ "s3:" ], "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/" } ] }
  • C{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" } ] }
  • D{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET" }, { "Effect": "Deny", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" } ] }

How the community answered

(19 responses)
  • A
    95% (18)
  • D
    5% (1)

Explanation

Option A is correct because it grants exactly the two permissions required - s3:ListBucket on the bucket resource (arn:aws:s3:::DOC-EXAMPLE-BUCKET) to list objects, and s3:GetObject on the bucket's objects (arn:aws:s3:::DOC-EXAMPLE-BUCKET/*) to download them - and nothing more. This follows the principle of least privilege by providing minimum necessary access. Note that s3:ListBucket and s3:GetObject require different resource ARNs: the bucket itself for listing, and the objects wildcard for get operations.

Topics

#IAM Policies#S3 Permissions#Least Privilege#Resource-based Access Control

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice