DVA-C02 · Question #251
A company has an online web application that includes a product catalog. The catalog is stored in an Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET. The application must be able to list the objects
The correct answer is A. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET" }, { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" } ] }. Option A is correct because it grants exactly the two permissions required - s3:ListBucket on the bucket resource (arn:aws:s3:::DOC-EXAMPLE-BUCKET) to list objects, and s3:GetObject on the bucket's objects (arn:aws:s3:::DOC-EXAMPLE-BUCKET/*) to download them - and nothing more. T
Question
A company has an online web application that includes a product catalog. The catalog is stored in an Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET. The application must be able to list the objects in the S3 bucket and must be able to download objects through an IAM policy. Which policy allows MINIMUM access to meet these requirements? A. B. C. D.
Exhibits
Options
- A{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET" }, { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" } ] }
- B{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET" }, { "Effect": "Allow", "Action": [ "s3:" ], "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/" } ] }
- C{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" } ] }
- D{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET" }, { "Effect": "Deny", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" } ] }
How the community answered
(19 responses)- A95% (18)
- D5% (1)
Explanation
Option A is correct because it grants exactly the two permissions required - s3:ListBucket on the bucket resource (arn:aws:s3:::DOC-EXAMPLE-BUCKET) to list objects, and s3:GetObject on the bucket's objects (arn:aws:s3:::DOC-EXAMPLE-BUCKET/*) to download them - and nothing more. This follows the principle of least privilege by providing minimum necessary access. Note that s3:ListBucket and s3:GetObject require different resource ARNs: the bucket itself for listing, and the objects wildcard for get operations.
Topics
Community Discussion
No community discussion yet for this question.







