Logo
AWS Certified Developer – Associate / Question #793 of 557

Question #793

A company hosts a document repository using an Amazon S3 bucket named EXAMPLE-DOCS-BUCKET. The application requires the ability to list objects in the bucket and retrieve objects via an IAM policy. Which policy provides the LEAST privileged access while fulfilling these requirements?

A

{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": \"s3:ListBucket\",\n \"Resource\": \"arn:aws:s3:::EXAMPLE-DOCS-BUCKET\"\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\"s3:GetObject\"],\n \"Resource\": \"arn:aws:s3:::EXAMPLE-DOCS-BUCKET/*\"\n }\n ]\n}
B

{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": \"s3:ListBucket\",\n \"Resource\": \"arn:aws:s3:::EXAMPLE-DOCS-BUCKET\"\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\"s3:\"],\n \"Resource\": \"arn:aws:s3:::EXAMPLE-DOCS-BUCKET/\"\n }\n ]\n}
C

{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": \"s3:ListBucket\",\n \"Resource\": \"arn:aws:s3:::EXAMPLE-DOCS-BUCKET\"\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\"s3:GetObject\", \"s3:PutObject\", \"s3:DeleteObject\"],\n \"Resource\": \"arn:aws:s3:::EXAMPLE-DOCS-BUCKET/*\"\n }\n ]\n}
D

{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": \"s3:ListBucket\",\n \"Resource\": \"arn:aws:s3:::EXAMPLE-DOCS-BUCKET\"\n },\n {\n \"Effect\": \"Deny\",\n \"Action\": [\"s3:GetObject\"],\n \"Resource\": \"arn:aws:s3:::EXAMPLE-DOCS-BUCKET/*\"\n }\n ]\n}

Explanation

Option A is correct because it explicitly allows only the necessary actions: s3:ListBucket to list objects in the bucket and s3:GetObject to retrieve objects. The ListBucket action requires the bucket ARN, while GetObject requires the object ARN (using '/').

- Option B uses 's3:' (all S3 actions) on objects, which grants excessive permissions (e.g., delete, write).
- Option C adds s3:PutObject and s3:DeleteObject, which are unnecessary for read-only access.
- Option D denies s3:GetObject, which contradicts the requirement to retrieve objects.

Key Points:
1. Least privilege means granting only required actions.
2. ListBucket applies to the bucket ARN; GetObject applies to object ARNs.
3. Wildcards (e.g., 's3:*') or unnecessary actions violate least privilege.

Answer

The correct answer is: A