Exam AWS Certified Security - Specialty topic 1 question 139 discussion

D to me

Correct answer is D. Obviously all users are allowed to access KMS key and "kmsDecrypt" action. The point is to restrict action to the prefix that belong to each of them. Policy variable is for this case arn:aws:s3:::examplebucket/${aws:username}/

As per AWS documentation: If the IAM user and S3 bucket belong to the same AWS account, then you can grant the user access to a specific bucket folder using an IAM policy. As long as the bucket policy doesn't explicitly deny the user access to the folder, you don't need to update the bucket policy if access is granted by the IAM policy. You can add the IAM policy to individual IAM users, or you can attach the IAM policy to an IAM role that multiple users can switch to. Answer D

D for me. Found this on another site which had B marked as correct answer. hmm Really appreciate that we have the discussions here!

In case of B, you need to re-encrypt the data, which can be costly. The bucket already exists, therefore D is more appropriate in this case.

B and D make sense. For B look up the following link: https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html We can utilize kms:EncryptionContext for adding IAM variables such as aws:username. CMK allows centralized access control and if it's not explicitly allowed in a key policy, v the request it's gonna be denied. (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html). So there's no way to allow access to s3 objects if it's not allowed in the key policy. D. It's workable solution, but we ALLOW access. So any user can extend their privs by adding another policy for the entire bucket. There's no key policies involved due to amazon managed keys.

https://aws.amazon.com/premiumsupport/knowledge-center/iam-s3-user-specific-folder/ You can do this by using policy variables, which allow you to specify placeholders in a policy. When the policy is evaluated, the policy variables are replaced with values that come from the request itself. This example shows a policy for an Amazon S3 bucket that uses the policy variable ${aws:username}:

D- this examples is given here https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html

agree on D.

D looks best but does it assume that the folder path has to follow a certain pattern that contains user name in it ? What if the path to be provided access does not have this pattern set ?

D is correct if the folder have the name of the user.

D for me

Looks like it is D: https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-policies-s3.html Scroll down a bit to the section labeled "Allowing each IAM user access to a folder in a bucket" and it explains how you can use the ${aws:username} policy variable to restrict users to their assigned folders only

I'll go with D

I don't think it is D. Question is asking for folder level restriction. You cannot do this with IAM policy - only S3 ACL.

d for me

D, for sure