Answer: ```json "Action": [ "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::bucket-name/*" ], "Effect": "Allow" ```

## Explanation The issue with the original policy is that it uses the wrong resource ARN for the `s3:DeleteObject` action. In AWS IAM policies for S3: 1. **Bucket-level operations** (like `s3:ListBucket`) require the bucket ARN: `arn:aws:s3:::bucket-name` 2. **Object-level operations** (like `s3:DeleteObject`) require the object ARN pattern: `arn:aws:s3:::bucket-name/*` **Why the original policy fails:** - The policy grants `s3:DeleteObject` permission but attaches it to the bucket ARN instead of the object ARN pattern. - This means users can't delete objects because the resource specification is incorrect. **Analysis of options:** **Option A:** Uses `s3:*Object` with wildcard and `bucket-name/*` resource. While this would work, it's not following least-privilege principles as it grants all object operations. **Option B:** Uses `s3:*` with `bucket-name/*` resource. This grants all S3 permissions on all objects in the bucket, violating least-privilege. **Option C:** Uses `s3:DeleteObject` with `bucket-name/*` resource. This correctly addresses the issue by providing the specific delete permission with the correct object-level resource ARN, following least-privilege. **Option D:** This appears to be a duplicate of Option C in the provided text (both C and D show identical code). In a real exam scenario, they would be different, but based on the text provided, C is the correct choice. **Correct Solution:** Add a separate statement for object-level operations: ```json { "Version": "2012-10-17", "Statement": [ { "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::bucket-name"], "Effect": "Allow" }, { "Action": ["s3:DeleteObject"], "Resource": ["arn:aws:s3:::bucket-name/*"], "Effect": "Allow" } ] } ``` **Key Learning:** Always remember the distinction between bucket-level and object-level permissions in S3 IAM policies.

Author: LeetQuiz Editorial Team