AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A group requires permissions to list an Amazon S3 bucket and delete objects from that bucket. An administrator has created the following IAM policy to provide access to the bucket and applied that policy to the group. The group is not able to delete objects in the bucket. The company follows least-privilege access rules.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Effect": "Allow"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Effect": "Allow"
}
]
}
Which statement should a solutions architect add to the policy to correct bucket access?
Other
Community
UAnonymous
A
"Action": [
"s3:*Object"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
],
"Effect": "Allow"
"Action": [
"s3:*Object"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
],
"Effect": "Allow"
B
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
],
"Effect": "Allow"
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
],
"Effect": "Allow"
C
"Action": [
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
],
"Effect": "Allow"
"Action": [
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
],
"Effect": "Allow"
D
"Action": [
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
],
"Effect": "Allow"
"Action": [
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
],
"Effect": "Allow"
Explanation:
Explanation
The issue with the original policy is that it uses the wrong resource ARN for the s3:DeleteObject action. In AWS IAM policies for S3:
- Bucket-level operations (like
s3:ListBucket) require the bucket ARN:arn:aws:s3:::bucket-name - Object-level operations (like
s3:DeleteObject) require the object ARN pattern:arn:aws:s3:::bucket-name/*
Why the original policy fails:
- The policy grants
s3:DeleteObjectpermission but attaches it to the bucket ARN instead of the object ARN pattern. - This means users can't delete objects because the resource specification is incorrect.
Analysis of options:
Option A: Uses s3:*Object with wildcard and bucket-name/* resource. While this would work, it's not following least-privilege principles as it grants all object operations.
Option B: Uses s3:* with bucket-name/* resource. This grants all S3 permissions on all objects in the bucket, violating least-privilege.
Option C: Uses s3:DeleteObject with bucket-name/* resource. This correctly addresses the issue by providing the specific delete permission with the correct object-level resource ARN, following least-privilege.
Option D: This appears to be a duplicate of Option C in the provided text (both C and D show identical code). In a real exam scenario, they would be different, but based on the text provided, C is the correct choice.
Correct Solution: Add a separate statement for object-level operations:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::bucket-name"],
"Effect": "Allow"
},
{
"Action": ["s3:DeleteObject"],
"Resource": ["arn:aws:s3:::bucket-name/*"],
"Effect": "Allow"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::bucket-name"],
"Effect": "Allow"
},
{
"Action": ["s3:DeleteObject"],
"Resource": ["arn:aws:s3:::bucket-name/*"],
"Effect": "Allow"
}
]
}
Key Learning: Always remember the distinction between bucket-level and object-level permissions in S3 IAM policies.
Comments
Loading comments...