ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS DevOps Engineer Professional All Questions

View all questions & answers for the AWS DevOps Engineer Professional exam
Go to Exam

Exam AWS DevOps Engineer Professional topic 1 question 7 discussion

Exam question from Amazon's AWS DevOps Engineer Professional
Question #: 7
Topic #: 1
[All AWS DevOps Engineer Professional Questions]

A DevOps engineer is developing an application for a company. The application needs to persist files to Amazon S3. The application needs to upload files with different security classifications that the company defines. These classifications include confidential, private, and public. Files that have a confidential classification must not be viewable by anyone other than the user who uploaded them. The application uses the IAM role of the user to call the S3 API operations.
The DevOps engineer has modified the application to add a DataClassification tag with the value of confidential and an Owner tag with the uploading user's ID to each confidential object that is uploaded to Amazon S3.
Which set of additional steps must the DevOps engineer take to meet the company's requirements?

  • A. Modify the S3 bucket's ACL to grant bucket-owner-read access to the uploading user's IAM role. Create an IAM policy that grants s3:GetObject operations on the S3 bucket when aws:ResourceTag/DataClassification equals confidential, and s3:ExistingObjectTag/Owner equals ${aws:userid}. Attach the policy to the IAM roles for users who require access to the S3 bucket.
  • B. Modify the S3 bucket policy to allow the s3:GetObject action when aws:ResourceTag/DataClassification equals confidential, and s3:ExistingObjectTag/Owner equals ${aws:userid}. Create an IAM policy that grants s3:GetObject operations on the S3 bucket. Attach the policy to the IAM roles for users who require access to the S3 bucket.
  • C. Modify the S3 bucket policy to allow the s3:GetObject action when aws:ResourceTag/DataClassification equals confidential, and aws:RequesttTag/Owner equals ${aws:userid}. Create an IAM policy that grants s3:GetObject operations on the S3 bucket. Attach the policy to the IAM roles for users who require access to the S3 bucket.
  • D. Modify the S3 bucket's ACL to grant authenticated-read access when aws:ResourceTag/DataClassification equals confidential, and s3:ExistingObjectTag/Owner equals ${aws:userid}. Create an IAM policy that grants s3:GetObject operations on the S3 bucket. Attach the policy to the IAM roles for users who require access to the S3 bucket.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by colinquek at Aug. 31, 2022, 12:22 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ohcn
Highly Voted 2 years, 10 months ago
Selected Answer: B
B - https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging-and-policies.html
upvoted 8 times
...
xdkonorek2
Most Recent 1 year, 5 months ago
None You can rule out B and C momentarily because GetObject on IAM permission will give it permission to all IAM roles with attached policy regardless of bucket policy, having no deny statements. You can rule out A and D because ACLs can be conditionally applied or be applied to specific principals
upvoted 1 times
...
xhi158
1 year, 7 months ago
B is the answer To meet the company’s requirements, the DevOps engineer must modify the S3 bucket policy to allow the s3:GetObject action when aws:ResourceTag/DataClassification equals confidential, and s3:ExistingObjectTag/Owner equals ${aws:userid}. The engineer must also create an IAM policy that grants s3:GetObject operations on the S3 bucket. The policy should be attached to the IAM roles for users who require access to the S3 bucket
upvoted 1 times
...
hp298
2 years, 3 months ago
Selected Answer: B
B is the answer
upvoted 1 times
...
sasa33_p
2 years, 4 months ago
Selected Answer: B
B sounds great.
upvoted 1 times
...
Bulti
2 years, 6 months ago
B. Based on the link given by ohcn
upvoted 1 times
...
nzin4x
2 years, 9 months ago
Selected Answer: B
good enough
upvoted 1 times
...
dangdoan
2 years, 10 months ago
B sound correct
upvoted 1 times
...
colinquek
2 years, 10 months ago
B Sounds most doable
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel