Logo
AWS Certified Solutions Architect - Associate / Question #1448 of 1019

Question #1448

The following IAM policy is attached to an IAM group. This is the only policy applied to the group.

json<br>{<br> "Version": "2012-10-17",<br> "Statement": [<br> {<br> "Sid": "1",<br> "Effect": "Allow",<br> "Action": "s3:*",<br> "Resource": "*",<br> "Condition": {<br> "StringEquals": {<br> "s3:LocationConstraint": "us-west-2"<br> }<br> }<br> },<br> {<br> "Sid": "2",<br> "Effect": "Deny",<br> "Action": [<br> "s3:DeleteObject",<br> "s3:PutObject"<br> ],<br> "Resource": "*",<br> "Condition": {<br> "BoolIfExists": {<br> "aws:MultiFactorAuthPresent": false<br> }<br> }<br> }<br> ]<br>}<br>

What are the effective IAM permissions of this policy for group members?

A. Group members are permitted any Amazon S3 action within the us-west-2 Region. Statements after the Allow permission are not applied.
B. Group members are denied any Amazon S3 permissions in the us-west-2 Region unless they are logged in with multi-factor authentication (MFA).
C. Group members are allowed the s3:DeleteObject and s3:PutObject permissions for all Regions when logged in with multi-factor authentication (MFA). Group members are permitted any other Amazon S3 action.
D. Group members are allowed the s3:DeleteObject and s3:PutObject permissions for the us-west-2 Region only when logged in with multi-factor authentication (MFA). Group members are permitted any other Amazon S3 action within the us-west-2 Region.

A

Group members are permitted any Amazon S3 action within the us-west-2 Region. Statements after the Allow permission are not applied.
B

Group members are denied any Amazon S3 permissions in the us-west-2 Region unless they are logged in with multi-factor authentication (MFA).
C

Group members are allowed the s3:DeleteObject and s3:PutObject permissions for all Regions when logged in with multi-factor authentication (MFA). Group members are permitted any other Amazon S3 action.
D

Group members are allowed the s3:DeleteObject and s3:PutObject permissions for the us-west-2 Region only when logged in with multi-factor authentication (MFA). Group members are permitted any other Amazon S3 action within the us-west-2 Region.

Explanation

The IAM policy contains two statements:
1. Allow Statement (Sid:1): Grants all S3 actions (s3:*) but restricts access to resources in the us-west-2 region via the s3:LocationConstraint condition.
2. Deny Statement (Sid:2): Explicitly denies s3:DeleteObject and s3:PutObject actions unless the user authenticates with MFA (aws:MultiFactorAuthPresent: true).

In AWS IAM, Deny policies override Allow policies. For DeleteObject and PutObject, the Deny applies when MFA is absent, blocking these actions. When MFA is present, the Deny is bypassed, and the Allow statement permits these actions only in us-west-2 (due to the LocationConstraint). All other S3 actions are allowed in us-west-2 regardless of MFA.

Why D is correct:
- DeleteObject/PutObject are allowed only in us-west-2 and only with MFA.
- Other S3 actions are permitted in us-west-2.

Why others are incorrect:
- A: Incorrect because Deny policies are applied regardless of order.
- B: Incorrect because the Deny applies only to DeleteObject/PutObject, not all S3 actions.
- C: Incorrect because the LocationConstraint restricts permissions to us-west-2, not all regions.

Key Takeaway: IAM Deny policies override Allows. Conditions (like LocationConstraint and MFA) refine permissions scopes.

Answer

The correct answer is: D