Challenge - 5 Problems

🎖️

Bucket Policy Master

Get all challenges correct to earn this badge!

Test your skills under time pressure!

❓ service_behavior

intermediate

2:00remaining

What happens when a bucket policy denies all public access?

You have an S3 bucket with a policy that explicitly denies any request where the source IP is not from your corporate network. What will happen if someone tries to access the bucket from outside your network?

AThe request is allowed but logged for review.

BThe request is denied and the user receives an access denied error.

CThe request is allowed only if the user is authenticated with AWS credentials.

DThe request is redirected to a public read-only copy of the bucket.

Attempts:

2 left

❓ Configuration

intermediate

2:00remaining

Which bucket policy snippet grants read-only access to a specific IAM user?

Given an IAM user with ARN arn:aws:iam::123456789012:user/Alice, which bucket policy snippet correctly grants read-only access to the bucket example-bucket?

A{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::123456789012:user/Alice"}, "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::example-bucket/*" }

B{ "Effect": "Allow", "Principal": "*", "Action": ["s3:ListBucket"], "Resource": "arn:aws:s3:::example-bucket" }

C{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::123456789012:user/Alice"}, "Action": ["s3:PutObject"], "Resource": "arn:aws:s3:::example-bucket/*" }

D{ "Effect": "Deny", "Principal": {"AWS": "arn:aws:iam::123456789012:user/Alice"}, "Action": ["s3:DeleteObject"], "Resource": "arn:aws:s3:::example-bucket/*" }

Attempts:

2 left

❓ Architecture

advanced

2:00remaining

How to design a bucket policy to allow public read access only to a specific folder?

You want to make only the public/ folder inside your S3 bucket my-bucket publicly readable, but keep the rest private. Which bucket policy achieves this?

A{ "Effect": "Deny", "Principal": "*", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::my-bucket/private/*" }

B{ "Effect": "Allow", "Principal": "*", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::my-bucket/*" }

C{ "Effect": "Allow", "Principal": "*", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::my-bucket/public/*" }

D{ "Effect": "Allow", "Principal": "*", "Action": ["s3:ListBucket"], "Resource": "arn:aws:s3:::my-bucket/public" }

Attempts:

2 left

❓ security

advanced

2:00remaining

What is the effect of a bucket policy with a Deny statement on MFA delete?

You have a bucket policy that denies all s3:DeleteObject actions unless the request includes MFA authentication. What happens if a delete request is made without MFA?

AThe delete request is denied regardless of the user's permissions.

BThe delete request is allowed if the user has IAM delete permissions.

CThe delete request is queued until MFA is provided.

DThe delete request is logged but still processed.

Attempts:

2 left

✅ Best Practice

expert

3:00remaining

Which bucket policy best follows the principle of least privilege for cross-account read access?

You want to allow read-only access to your bucket secure-bucket for a specific AWS account 987654321098. Which bucket policy snippet follows the principle of least privilege?

A{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::987654321098:user/AnyUser"}, "Action": ["s3:*"], "Resource": "arn:aws:s3:::secure-bucket/*" }

B{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::987654321098:root"}, "Action": ["s3:ListBucket"], "Resource": "arn:aws:s3:::secure-bucket" }

C{ "Effect": "Allow", "Principal": "*", "Action": ["s3:GetObject", "s3:ListBucket"], "Resource": "arn:aws:s3:::secure-bucket" }

D{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::987654321098:root"}, "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::secure-bucket/*" }

Attempts:

2 left