A company wants to store sensitive data in Amazon S3. The S3 bucket and its contents must be accessible only from the on-premises corporate network. What should a SysOps administrator do to configure the S3 bucket policy statement?
A.
Use a Deny effect with a condition based on the aws:sourceVpc key.
B.
Use a Deny effect with a condition based on the NotIpAddress key.
C.
Use an Allow effect with a condition based on the IpAddress key.
D.
Use an Allow effect with a condition based on the s3:LocationConstraint key.
A. This would only deny a specific vpc.
B. This would only deny a specific IP or subnet.
D. s3:LocationConstraint would only allow a user for bucket creation on a specified region
C. IpAddress under Condition would allow on-premises corporate network by stating it's subnet or IP, thus, the correct answer
The answer is B.
The contention is between 'implicit deny' vs 'explicit deny', and 'explicit deny' triumphs all in IAM world. By default, all requests are denied which is called 'implicit deny'. By allowing the onpremise IP CIDR in the condition, we have mentioned an 'explicit allow'. An 'explicit allow' can overcome 'implicit deny' which is the case with option C. But putting a 'explicit deny' overwrites all allows. Thus the answer is B.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
For this scenario, you want to ensure that only requests originating from the on-premises corporate network are allowed access to the S3 bucket. To achieve this, you can create a bucket policy with an Allow effect and use the IpAddress condition to restrict access to the specified IP address range of the corporate network.
Option B (Deny effect with a condition based on the NotIpAddress key) is not recommended because it denies access based on the inverse condition. It's generally better to explicitly allow trusted sources rather than trying to deny all possible sources.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Drey
Highly Voted 2 years, 7 months agowahlbergusa
2 years, 7 months agoCyril_the_Squirl
2 years, 6 months agosabrthor
2 years, 7 months agosabrthor
2 years, 7 months agoTroyMcLure
Highly Voted 2 years, 7 months agoalbert_kuo
Most Recent 9 months, 2 weeks agoalbert_kuo
8 months, 2 weeks agosoftarts
1 year, 9 months agoCyril_the_Squirl
2 years, 6 months agoRicardoD
2 years, 7 months agonik351
2 years, 7 months ago