ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 264 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C02
Question #: 264
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C02 Questions]

A company has hired a new cloud engineer who should not have access to an Amazon S3 bucket named CompanyConfidential. The cloud engineer must be able to read from and write to an S3 bucket called AdminTools.
Which IAM policy will meet these requirements?
A.

B.

{
C.

D.

Show Suggested Answer Hide Answer
Suggested Answer: C
by dmscountera at March 11, 2021, 3:22 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
cryogenic007
Highly Voted 3 years, 7 months ago
Here is a proper explanation on why option A is correct. The policy is separated into two parts because the ListBucket action requires permissions on the bucket while the other actions require permissions on the objects in the bucket. You must use two different Amazon Resource Names (ARNs) to specify bucket-level and object-level permissions. The first Resource element specifies arn:aws:s3:::AdminTools for the ListBucket action so that applications can list all objects in the AdminTools bucket. Without seeing the bucket you can't read anything from it (or) put anything into it.
upvoted 60 times
DS01
3 years, 6 months ago
https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/
upvoted 4 times
...
someoneSays
3 years, 7 months ago
for sure it's A , https://aws.amazon.com/premiumsupport/knowledge-center/s3-console-access-certain-bucket/ we need list bucket + get + Put to modify and read
upvoted 13 times
noahsark
3 years, 6 months ago
Is there a List requirement in the question? List: Permission to list resources within the service to determine whether an object exists. Actions with this level of access can list objects but cannot see the contents of a resource. For example, the Amazon S3 action ListBucket has the List access level. Read: Permission to read but not edit the contents and attributes of resources in the service. For example, the Amazon S3 actions GetObject and GetBucketLocation have the Read access level. Write: Permission to create, delete, or modify resources in the service. For example, the Amazon S3 actions CreateBucket, DeleteBucket and PutObject have the Write access level. Write actions might also allow modifying a resource tag. However, an action that allows only changes to tags has the Tagging access level. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html
upvoted 2 times
...
...
Twinkie
3 years, 7 months ago
You don’t need listing access to delete an object using CLI, Rest API and so on if you know the object name therefore A is not needed and C is best for least access.
upvoted 5 times
...
lc76262
3 years, 7 months ago
Option A lacks the permission to overwrite existing objects, which will require s3:DeleteObject + s3:PutObject, which is the only way to edit the objects you owned.
upvoted 1 times
Iamrandom
3 years, 7 months ago
You sure you require DeleteObject or it's just a speculation?
upvoted 2 times
...
...
Load full discussion...
...
developer_404
Highly Voted 3 years, 7 months ago
Answer is C, exact match Answer A wrong. It is adding one more action - listobject which is not specified in the question, They asked for read and write which is get and put for the AdminTools.
upvoted 24 times
theCreatorSD
3 years, 7 months ago
Do you mean that you can read and write without list to s3 bucket?
upvoted 1 times
cannottellname
3 years, 5 months ago
Yes, but it is STUPID thing to do
upvoted 2 times
...
noahsark
3 years, 6 months ago
yes. List: Permission to list resources within the service to determine whether an object exists. Actions with this level of access can list objects but cannot see the contents of a resource. For example, the Amazon S3 action ListBucket has the List access level. Read: Permission to read but not edit the contents and attributes of resources in the service. For example, the Amazon S3 actions GetObject and GetBucketLocation have the Read access level. Write: Permission to create, delete, or modify resources in the service. For example, the Amazon S3 actions CreateBucket, DeleteBucket and PutObject have the Write access level. Write actions might also allow modifying a resource tag. However, an action that allows only changes to tags has the Tagging access level. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html
upvoted 1 times
...
...
meberlin
3 years, 6 months ago
If you don't have the List Bucket access, you can't even see the bucket in the console. Also, C is giving List Bucket access to the bucket the user should not see or access. Therefore, ans A is correct.
upvoted 4 times
noahsark
3 years, 6 months ago
There is no List requirement in the question. List: Permission to list resources within the service to determine whether an object exists. Actions with this level of access can list objects but cannot see the contents of a resource. For example, the Amazon S3 action ListBucket has the List access level. Read: Permission to read but not edit the contents and attributes of resources in the service. For example, the Amazon S3 actions GetObject and GetBucketLocation have the Read access level. Write: Permission to create, delete, or modify resources in the service. For example, the Amazon S3 actions CreateBucket, DeleteBucket and PutObject have the Write access level. Write actions might also allow modifying a resource tag. However, an action that allows only changes to tags has the Tagging access level. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html
upvoted 1 times
...
...
ruqui
1 year, 11 months ago
wrong!!!! if you want to read from a bucket, then you need s3:ListBucket, correct answer is A
upvoted 1 times
...
...
mohebius
Most Recent 2 years, 5 months ago
A. Is correct. https://aws.amazon.com/es/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/ The following sample IAM policy grants programmatic read-write access to the test bucket: Sample 1: Programmatic read and write permissions { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::test"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": ["arn:aws:s3:::test/*"] } ] }
upvoted 1 times
...
Six_Fingered_Jose
2 years, 6 months ago
A is correct for sure
upvoted 1 times
...
rude7
2 years, 8 months ago
A is correct. bucket-level policy (list) is required for read/write permissions at the bucket object level. None are required for explicit deny as seen in option B https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/
upvoted 1 times
...
oblack23
2 years, 8 months ago
https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/
upvoted 1 times
oblack23
2 years, 8 months ago
Option B.
upvoted 1 times
...
...
o0o0o0
2 years, 9 months ago
A, https://aws.amazon.com/ko/premiumsupport/knowledge-center/s3-console-access-certain-bucket/
upvoted 1 times
...
medusarose
2 years, 9 months ago
Why not B? It says Write permissions, which means DeleteObject must be there. B denies all Confidential and allows all Admin
upvoted 1 times
...
bighedgedog
2 years, 10 months ago
A. Even if it's not explicitly requested in the question, list is very recommended to work with buckets. https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/
upvoted 1 times
...
VijiTu
2 years, 11 months ago
Answer is A Refer the explaination in this link https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/
upvoted 2 times
...
ravisar
2 years, 11 months ago
Answer is A. You need the list permission granted before read and write permission. https://docs.aws.amazon.com/transfer/latest/userguide/read-write-access.html
upvoted 3 times
...
examJack
3 years, 1 month ago
the "List Bucket" is not explicit in the question, but it is a requiring and implying restriction. Bucket permission and Object Permission is seperated in AWS. need permissions : List Bucket, Get/Put Object if a user don't have any permission on the bucket where the object is included, s/he can't access to the object. cf. https://aws.amazon.com/premiumsupport/knowledge-center/s3-console-access-certain-bucket/ A. right permissions : List Bucket, Get/Put Object B. wrong permissions C. in this case, user can't access the 'AdminTools' bucket itself D. Delete is not required
upvoted 2 times
...
jennyka76
3 years, 2 months ago
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket.html = Answer - A
upvoted 1 times
...
[Removed]
3 years, 3 months ago
A. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket.html
upvoted 2 times
...
muhsin
3 years, 4 months ago
Ans: A please check out the link https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/#:~:text=Sample%201%3A%20Programmatic%20read%20and%20write%20permissions
upvoted 1 times
...
rupiii
3 years, 6 months ago
Its A , https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket.html
upvoted 1 times
...
KyleZheng
3 years, 6 months ago
It is always a good practice to give listBacket permission while grant read permission. Permissions You need the relevant read object (or version) permission for this operation. For more information, see Specifying Permissions in a Policy. If the object you request does not exist, the error Amazon S3 returns depends on whether you also have the s3:ListBucket permission. If you have the s3:ListBucket permission on the bucket, Amazon S3 will return an HTTP status code 404 ("no such key") error. If you don’t have the s3:ListBucket permission, Amazon S3 will return an HTTP status code 403 ("access denied") error.
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago