Question #705
A developer is attempting to upload a file to an Amazon S3 bucket named dev-data-bucket using the AWS CLI. The developer configured the AWS CLI with a specific IAM user’s credentials and executed the following command:
aws s3 cp report.csv s3://dev-data-bucket/report.csv
The command returned a 'Access Denied' error, and the file was not uploaded.
What is the MOST likely cause of this issue?
The command is incorrect; it should be rewritten to use sync instead of cp for file transfers.
The developer must contact AWS Support to request elevated permissions for the dev-data-bucket.
Amazon S3 requires all CLI commands to include a --region parameter for regional buckets.
The IAM user lacks an attached policy granting s3:PutObject permissions for dev-data-bucket.
Explanation
The correct answer is D. The IAM user must have an attached policy granting s3:PutObject permissions for the target S3 bucket (dev-data-bucket) to upload files. The AWS CLI uses the configured IAM credentials, and if the user lacks the required permissions, the operation fails with 'Access Denied'.
Why other options are incorrect:
- A: The 'cp' command is valid for single-file uploads; 'sync' is used for directory synchronization.
- B: AWS Support does not grant permissions; access is controlled via IAM policies and bucket policies.
- C: The AWS CLI infers the region from its configuration unless overridden. A missing --region parameter would result in a different error (e.g., 'Bucket does not exist'), not 'Access Denied'.
Key Points:
1. s3:PutObject is required for uploading objects to S3.
2. IAM policies define permissions for AWS services.
3. 'Access Denied' typically indicates missing IAM permissions or explicit bucket policy denials.
Answer
The correct answer is: D