AWS Certified Security - Specialty
Get started today
Ultimate access to all questions.
Ultimate access to all questions.
A security engineer is tasked with configuring account-based access control (ABAC) for an Amazon S3 bucket to ensure that only specific principals can upload objects. These principals already have general access to Amazon S3. The engineer sets up a bucket policy that permits object uploads only if the 'Team' tag on the object matches the 'Team' tag associated with the principal. However, during testing, it is observed that principals can still upload objects to the S3 bucket even when the 'Team' tag values do not match. Identify two factors that could be causing the PutObject operation to succeed under these mismatched tag conditions.
Explanation:
The correct answer to this question is a combination of options A and C. Option A states that the principal's identity-based policy grants access to put objects into the S3 bucket with no conditions, which means the policy allows the operation regardless of any tag-based conditions set in the bucket policy. Option C highlights that the S3 bucket's resource policy does not deny access to put objects, implying that no explicit deny policy is in place to prevent the PutObject action when the tag values do not match. Together, these factors explain why the PutObject operation succeeds even when the tag values differ.