Question #1922
A company uses an Amazon S3 bucket to store critical data for multiple projects, each assigned a unique prefix. The company needs to ensure each project team can only access objects within their designated prefix and perform specific operations (e.g., read/write). The solution must minimize administrative complexity and operational overhead.
Create S3 access points for each project with policies restricting access to their respective prefixes.
Use S3 Batch Operations to apply object-level ACLs for each project's prefix.
Replicate data from each prefix into separate S3 buckets and configure bucket policies for each project.
Assign IAM roles to each project team with inline policies scoped to their prefix.
Explanation
Answer A is correct because S3 access points simplify managing permissions for specific prefixes within a single bucket. Each access point can enforce a policy restricting access to a designated prefix, reducing the need for multiple buckets (Option C) or complex IAM role management (Option D). Option B is incorrect because object-level ACLs are outdated and cumbersome to manage at scale. Access points provide a scalable, centralized solution aligned with AWS best practices, ensuring minimal operational overhead while enforcing least-privilege access.
Key Points:
- S3 access points enable prefix-based access control without data replication.
- Avoids managing multiple buckets or IAM roles, reducing administrative effort.
- ACLs (Option B) are not recommended for modern access management.
- Access points are designed for scalable, granular permissions.
Answer
The correct answer is: A