Answer: The S3 bucket policy authorizes reads

Overall explanation Correct option: The S3 bucket policy authorizes reads When evaluating an IAM policy of an EC2 instance doing actions on S3, the least-privilege union of both the IAM policy of the EC2 instance and the bucket policy of the S3 bucket are taken into account. For the given use-case, as IAM role has been removed, therefore only the S3 bucket policy comes into effect which authorizes reads. Here is a great reference blog for understanding the various scenarios for using IAM policy vs S3 bucket policy - https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/ Incorrect options: The EC2 instance is using cached temporary IAM credentials - As the IAM instance role has been removed that wouldn't be the case Removing an instance role from an EC2 instance can take a few minutes before being active - It is immediately active and even if it wasn't, it wouldn't make sense as we can still do reads but not writes. When a read is done on a bucket, there's a grace period of 5 minutes to do the same read again - This is not true. Every single request is evaluated against IAM in the AWS model.

Author: LeetQuiz Editorial Team