Exam AWS-SysOps topic 1 question 780 discussion

The correct answer is A. You make the BUCKET public, NOT the bucket objects. Link: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/static-website-hosting.html "Step 3: Adding a bucket policy After you edit S3 Block Public Access settings, you can add a bucket policy to grant public read access to your bucket. When you grant public read access, anyone on the internet can access your bucket"

B. Policy example (look at the asterisk (*) sign) "Resource": [ "arn:aws:s3:::example.com/*" ] REF: https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteAccessPermissionsReqd.html

By default, an S3 bucket does not allow public access to its objects. To make the website content accessible, you need to add a bucket policy that explicitly grants read access to everyone. The policy should allow the "s3:GetObject" action on the bucket objects.

Answer is B Public – Everyone has access to one or more of the following: List objects, Write objects, Read and write permissions. Objects can be public – The bucket is not public, but anyone with the appropriate permissions can grant public access to objects.

You need access to object in a bucket not the bucket itself. reversed logic in here but this is the way

B - all example policies in https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html include asterisk -> arn:aws:s3:::DOC-EXAMPLE-BUCKET/*

Okay after a lot of research and looking through the resources that everyone has posted here, as well as re-reading the question a thousand times. I believe I have come to a conclusion. The answer here is B. The ONLY reason it isn't A is because the answer states to "add a bucket policy" to grant read access. You simply edit the "S3 Block Public Access" settings to allow the bucket to be public and THEN apply a BUCKET POLICY that allows read access to the bucket.

Go with A . B on required if the object is owned by non bucket owner. https://forums.aws.amazon.com/thread.jspa?threadID=241036 https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteAccessPermissionsReqd.html

I agree with Huy. It is B. Why a wrong answer has a lot of votes?

It is B. This is easy to try. Please try yourself. Why wrong answer has a lot of upvotes?

The answer is B. Based on the reference: Allow public read access to the object in one of the following ways: - Create a bucket policy that allows public read access for all objects in the bucket. - Use the Amazon S3 console to allow public read access for the object. https://aws.amazon.com/premiumsupport/knowledge-center/s3-website-cloudfront-error-403/

Correct Answer A https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteAccessPermissionsReqd.html B should not be a bucket policy, but an Object ACL

B is ok as per https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteAccessPermissionsReqd.html#block-public-access-static-site but why CORS is not correct ? won't it generate 403 as well ?

B is correct. The object-level permissions are more relevant as the website users must able to perform the s3:GetObject API action to retrieve the objects.

I'll go with A: "To make the objects in your bucket publicly readable, you must write a bucket policy that grants everyone s3:GetObject permission. After you edit S3 Block Public Access settings, you can add a bucket policy to grant public read access to your bucket. When you grant public read access, anyone on the internet can access your bucket." "You can use a bucket policy to grant public read permission to your objects. However, the bucket policy applies only to objects that are owned by the bucket owner. If your bucket contains objects that aren't owned by the bucket owner, the bucket owner should use the object access control list (ACL) to grant public READ permission on those objects." https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteAccessPermissionsReqd.html

Objects in the bucket must be publicly accessible. Hence B

Answer should be A.