Exam AWS Certified Security - Specialty topic 1 question 137 discussion

D is what i thought if the IAM is allowing the users the buckets policy is not needed but if the bucket policy is denying access no matter if the IAM user policy grants it

Answer: D

Resource policy comes BEFORE identity policy when evaluating, and an explicit deny overrule an allow. D..ofc.

D. The S3 bucket policy explicitly denies access to the Application Developer. If the S3 bucket policy explicitly denies access to the Application Developer, this would certainly cause the issue. S3 bucket policies can include "Deny" statements that override "Allow" statements in IAM policies. The most likely cause of the issue is option D. The S3 bucket policy explicitly denying access to the Application Developer would result in the behavior described. You should check the S3 bucket policy to ensure that it does not contain any explicit "Deny" statements for the Application Developer.

Option "D" says explicitly denies which means, the particular user has to be denied. But that is not the case here. So, option "C" is the right answer because due to other reasons (like not granted) he might have got blocked

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

I'd go with D. If the IAM policy has an allow, only an *explicit* deny would stop the user from accessing the bucket. Yes, it could be a problem with the key, but "list the application developer as an administrator" isn't required to use the key itself.

To explain, when you use server-side encryption with AWS Key Management Service (SSE-KMS) for an S3 bucket, not only does the IAM policy need to allow access to the S3 bucket, but the key policy for the KMS key used for encryption also needs to allow the necessary permissions. In other words, if the Application Developer doesn't have the necessary permissions in the KMS key policy to use the key (like kms:Decrypt for reading objects, for example), they would be unable to access the objects in the bucket, even if their IAM policy allows S3 bucket access. Of course, without more specific details, this is just one possible cause. There could be other potential issues too (like explicit deny statements, lack of necessary S3 permissions in the IAM policy, etc.), but based on the information in the question, Option B seems the most likely.

The IAM role has been configured to allow access to the S3 resource. However the bucket has an explicit deny policy which takes precedence over the allow rule.

Why is c not answer?

https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/

Answer: D

D is blocking, though IAM policy allowing as stated in the question

I will go with D,E

Ans is D Reason: You don't need to explicitly grant permission to user in S3 Policy if he\she has permission in IAM, except when the S3 policy has explicit DENY

It mentions the bucket is encrypted. It could have to do with something with KMS etc too right? Like, maybe the user doesn't have kms:Decrypt permissions? Or am I wrong here

I'll go with D