Exam AWS Certified Security - Specialty topic 1 question 254 discussion

A is wrong as it mentions whole data is publicly accessible. B is wrong as it mentions none of the data is publicly accessible but its accessible from that IP range mentioned. C is wrong as it was nothing to do with IAM policy. D make sense, because even though having the bucket policy we can go ahead and make any object public by selecting the object and make public. In this case the object will be publicly accessible using the Object URL.

D Because a) bucket policy does not deny public access b) ACL not known ... if it allows, then the bucket is accessible publicly. ref: https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/

i know this is old question but as of today december 2023; if you have configured S3 bucket or object ACLs to block public access, and the bucket policy contains a private CIDR range like 10.10.10.0/24 in the aws:sourceip condition, public access would still be allowed. Even though the ACLs block public access, the bucket policy overrides this. And specifying a private CIDR range in a policy does not actually restrict access as the aws:sourceip condition checks the public IP of the request, not the private IP. +Bucket policies override any access configuration set by ACLs. +Private IP ranges cannot be used to restrict public internet access as the request source IP seen will always be a public IP. + The policy containing the private CIDR range would not error, but would have no effect on access control since the CIDR cannot match public IP addresses. Peace:)

Whenever an AWS principal issues a request to S3, the authorization decision depends on the union of all the IAM policies, S3 bucket policies, and S3 ACLs that apply.

First, the policy is invalid with the private IP CIDR in condition. A - the policy tries to grant access (assume public IP is used) to a specific IP range. not to make the bucket public accessible B: ACL can have the object public accessible (confirmed by testing) C: IAM user policy is for controlling IAM user access, not about public access D: Correct. refer to B

The answer is A: IP Control should be NotIpAddress, not IpAddress.

Is it C as if an IAM policy has an allow action, the user will be able to still access the bucket data.

Just do the sample test on AWS. You will get an error message when inputting the bucket policy as the question: "aws:SourceIp works only for public IP address ranges." which kicks A and B out. The answer is D. The global condition key aws:SourceIp works only for public IP address ranges. You receive this error when your policy allows only private IP addresses. In this case, the condition would never match. https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-private-ip-address

When you create a bucket or put an object into it, the bucket or the object is private to you. Any other access to the bucket or the object is public access. The above policy allows public access from the 10.10.10.0/24 to examplebucket and its content, no matter what is the configuration of S3 ACL or object ACL! So, option A is the correct answer.

I would go with B since there is a condition which can’t be bypassed. According to below page: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html Policies When evaluating a bucket policy, Amazon S3 begins by assuming that the policy is public. It then evaluates the policy to determine whether it qualifies as non-public. To be considered non-public, a bucket policy must grant access only to fixed values (values that don't contain a wildcard) of one or more of the following: A set of Classless Inter-Domain Routings (CIDRs), using aws:SourceIp. For more information about CIDR, see RFC 4632 on the RFC Editor website.

Is D the right answer?

All options seem wrong to me. the mention condition doesn't even support private IP range. it only supports public IP address.

https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/

I think the answer is B. No matter what the ACLs permit, the Condition locks access down to the 10.10.10.0/24 network, which is an internal range. To me, internal means not public.

Answer appears to be D.

The answer is D. "Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both." https://aws.amazon.com/s3/features/block-public-access/

So is the answer C or D?