Explanation:
To allow cross-account access to an Amazon S3 bucket, two policies are required: 1) An identity-based policy in the IAM user's account granting them permission to perform the action (Option B, targeting the objects inside the bucket with /*). 2) A resource-based policy (bucket policy) on the target bucket granting the specific IAM user or account permission to perform the action (Option A). Option D is incorrect because s3:PutObject applies to objects (/*), not the bucket itself. Option C is overly permissive and insecure.
Ultimate access to all questions.
No comments yet.
Question 28
A SysOps administrator is using IAM credentials to try to upload a file to a customer's Amazon S3 bucket that is named DOC-EXAMPLE-BUCKET. The SysOps administrator is receiving an AccessDenied message. Which combination of configuration changes will correct this problem? (Choose two.)
A
Add a bucket policy to DOC-EXAMPLE-BUCKET that grants s3:PutObject permission to the SysOps administrator's IAM user ARN.
B
Modify the IAM policy attached to the SysOps administrator's user to grant s3:PutObject permission on arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.
C
Add a bucket policy to DOC-EXAMPLE-BUCKET that grants s3:PutObject permission to all principals ("Principal": "*").
D
Modify the IAM policy attached to the SysOps administrator's user to grant s3:PutObject permission on arn:aws:s3:::DOC-EXAMPLE-BUCKET.
E
Add a bucket ACL to DOC-EXAMPLE-BUCKET that grants WRITE permission to the SysOps administrator's IAM user.