AWS Certified Security - Specialty
Get started today
Ultimate access to all questions.
A security engineer initially sets an Amazon S3 bucket policy to deny access to all users. Subsequently, the engineer modifies the policy to grant read-only access to a specific employee. Despite the update, the employee continues to encounter an 'access denied' error. What is the most probable cause of this persistent access denial?
A security engineer initially sets an Amazon S3 bucket policy to deny access to all users. Subsequently, the engineer modifies the policy to grant read-only access to a specific employee. Despite the update, the employee continues to encounter an 'access denied' error. What is the most probable cause of this persistent access denial?
Explanation:
The correct answer is D. In AWS IAM policy evaluation logic, an explicit deny in any policy overrides any allows. Even though the engineer added a statement to allow read-only access to a specific employee, the initial policy that denies access to all users will take precedence because deny policies always override allow policies. For this reason, the employee is still receiving an 'access denied' message despite the update.