Exam AWS Certified Solutions Architect - Professional topic 1 question 643 discussion

Answer C and D - My two cents: A is INCORRECT even though a bucket policy IS a resource based policy and will be evaluated AFTER Organizations SCPs, if a DENY is set in the policy you will list see it listed. You will see the word "ERROR" in the Access column. B is INCORRECT because even though ACLs are resource-based policies you use ACLs to grant basic read/write permissions on the objects in the bucket. You'll still be able to ListBuckets if there is an ACL on the bucket. C is CORRECT because after the Deny Evaluation a Organization SCPs are evaluated and take affect/merged. (See Link Below) D is CORRECT because a DENY on the permission boundary will not allow the developer to ListBuckets E is INCORRECT because this is a IAM Permission and applied AFTER DENY, ORG SCP, and RESOURCE-based policy evaluation. In addition the Solution Architect checked the developers IAM User and it was listed as readonly. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow

c,d seems correct

The answer is CD A. Check the bucket policies for all S3 buckets. Not relevant , the user is facing an issue to list all buckets. If the question is about access denied when trying to read or write from some bucket then this might be the cause B. Check the ACLs for all S3 buckets. Same as A C. Check the SCPs set at the organizational units (OUs). Correct , even if a user has IAM permission to access a service if the SCP for his OU denies it he cant access D. Check for the permissions boundaries set for the IAM user. This is correct , the issue could be because of the permission set for the IAM user E. Check if an appropriate IAM role is attached to the IAM user. Not relevant , the permission to access S3 in the question is defined on the user and there is no mention that the user is a assuming a role or that an ec2 instance with that role is having the problem

CD for me. Since we cannot list any bucket at all - A& B are excluded. E - we already have this kind of access - not relevant.

Agree with CD.

There are several ways to control access S3 bucket. - IAM user policy - bucket policy - ACLs - S3 block public access If setting related with IAM is right, we should check their bucket policies and ACLs. So answer is A and B.

C, D is correct A service control policy (SCP) may have been implemented that limits the API actions that are available for Amazon S3. This will apply to all users in the account regardless of the permissions they have assigned to their user account. Another potential cause of the issue is that the permissions boundary for the user limits the S3 API actions available to the user. A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity’s permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries

It's C D with evaluating Identity-based policies with boundaries

C&D correct https://aws.amazon.com/premiumsupport/knowledge-center/s3-troubleshoot-403/

CCC DDD ---

CD is the answer.

I'll go with C,D

it's C,D

C and D. If I go with IAM Policy Evaluation Logic mentioned here : https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow Deny Evaluation : There is no explicit deny mentioned Organizations SCPs : C (not checked as per question) Resource based policies : Not given as a option or mentioned in question IAM permission boundaries : D (not checked as per question) Session Policies : Not given as a option or mentioned in question Identity Based Policy : Based on question user(or its group which is implicit) is already having read-only access to all S3 buckets Errors : Not given as a option or mentioned in question

i choose C & D

trick question C&D check the vein dig on https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html and things will make sense.

CD WOULD FOR ME AS WELL.