A security engineer is tasked with configuring account-based access control (ABAC) for an Amazon S3 bucket to ensure that only specific principals can upload objects. These principals already have general access to Amazon S3. The engineer sets up a bucket policy that permits object uploads only if the 'Team' tag on the object matches the 'Team' tag associated with the principal. However, during testing, it is observed that principals can still upload objects to the S3 bucket even when the 'Team' tag values do not match. Identify two factors that could be causing the PutObject operation to succeed under these mismatched tag conditions.

Exam-Like

The principal's identity-based policy grants access to put objects into the S3 bucket with no conditions.

43.8%

The principal's identity-based policy overrides the condition because the identity-based policy contains an explicit allow.

18.8%

The S3 bucket's resource policy does not deny access to put objects.

37.5%

The S3 bucket's resource policy cannot allow actions to the principal.

0.0%

The bucket policy does not apply to principals in the same zone of trust.

AWS Certified Security - Specialty