Bird
Raised Fist0
AWScloud~20 mins

Bucket policies for access control in AWS - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Bucket Policy Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
service_behavior
intermediate
2:00remaining
What happens when a bucket policy denies all public access?

You have an S3 bucket with a policy that explicitly denies any request where the source IP is not from your corporate network. What will happen if someone tries to access the bucket from outside your network?

AThe request is allowed but logged for review.
BThe request is denied and the user receives an access denied error.
CThe request is allowed only if the user is authenticated with AWS credentials.
DThe request is redirected to a public read-only copy of the bucket.
Attempts:
2 left
💡 Hint

Think about what a deny statement in a bucket policy does to requests that do not meet the condition.

Configuration
intermediate
2:00remaining
Which bucket policy snippet grants read-only access to a specific IAM user?

Given an IAM user with ARN arn:aws:iam::123456789012:user/Alice, which bucket policy snippet correctly grants read-only access to the bucket example-bucket?

A{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::123456789012:user/Alice"}, "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::example-bucket/*" }
B{ "Effect": "Allow", "Principal": "*", "Action": ["s3:ListBucket"], "Resource": "arn:aws:s3:::example-bucket" }
C{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::123456789012:user/Alice"}, "Action": ["s3:PutObject"], "Resource": "arn:aws:s3:::example-bucket/*" }
D{ "Effect": "Deny", "Principal": {"AWS": "arn:aws:iam::123456789012:user/Alice"}, "Action": ["s3:DeleteObject"], "Resource": "arn:aws:s3:::example-bucket/*" }
Attempts:
2 left
💡 Hint

Read-only access means allowing only actions that retrieve objects, not modify or delete.

Architecture
advanced
2:00remaining
How to design a bucket policy to allow public read access only to a specific folder?

You want to make only the public/ folder inside your S3 bucket my-bucket publicly readable, but keep the rest private. Which bucket policy achieves this?

A{ "Effect": "Deny", "Principal": "*", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::my-bucket/private/*" }
B{ "Effect": "Allow", "Principal": "*", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::my-bucket/*" }
C{ "Effect": "Allow", "Principal": "*", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::my-bucket/public/*" }
D{ "Effect": "Allow", "Principal": "*", "Action": ["s3:ListBucket"], "Resource": "arn:aws:s3:::my-bucket/public" }
Attempts:
2 left
💡 Hint

Focus on granting access only to the objects inside the public/ folder.

security
advanced
2:00remaining
What is the effect of a bucket policy with a Deny statement on MFA delete?

You have a bucket policy that denies all s3:DeleteObject actions unless the request includes MFA authentication. What happens if a delete request is made without MFA?

AThe delete request is denied regardless of the user's permissions.
BThe delete request is allowed if the user has IAM delete permissions.
CThe delete request is queued until MFA is provided.
DThe delete request is logged but still processed.
Attempts:
2 left
💡 Hint

Consider how explicit deny statements affect requests.

Best Practice
expert
3:00remaining
Which bucket policy best follows the principle of least privilege for cross-account read access?

You want to allow read-only access to your bucket secure-bucket for a specific AWS account 987654321098. Which bucket policy snippet follows the principle of least privilege?

A{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::987654321098:user/AnyUser"}, "Action": ["s3:*"], "Resource": "arn:aws:s3:::secure-bucket/*" }
B{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::987654321098:root"}, "Action": ["s3:ListBucket"], "Resource": "arn:aws:s3:::secure-bucket" }
C{ "Effect": "Allow", "Principal": "*", "Action": ["s3:GetObject", "s3:ListBucket"], "Resource": "arn:aws:s3:::secure-bucket" }
D{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::987654321098:root"}, "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::secure-bucket/*" }
Attempts:
2 left
💡 Hint

Least privilege means granting only the exact permissions needed to the correct principal.

Practice

(1/5)
1. What is the main purpose of a bucket policy in AWS S3?
easy
A. To monitor the bucket usage statistics
B. To store files inside the bucket
C. To control who can access and perform actions on the bucket
D. To backup the bucket data automatically

Solution

  1. Step 1: Understand bucket policy role

    A bucket policy defines permissions for users or services to access the bucket.

  2. Step 2: Differentiate from other functions

    Storing files, monitoring, and backup are separate features, not controlled by bucket policies.

  3. Final Answer:

    To control who can access and perform actions on the bucket -> Option C

  4. Quick Check:

    Bucket policy = Access control [OK]
Hint: Bucket policies manage access permissions only [OK]
Common Mistakes:
  • Confusing bucket policy with storage function
  • Thinking bucket policy handles backups
  • Assuming bucket policy monitors usage
2. Which of the following is the correct JSON key to specify who is allowed or denied access in a bucket policy?
easy
A. "Action"
B. "Principal"
C. "Resource"
D. "Effect"

Solution

  1. Step 1: Identify the key for user or service

    The "Principal" key specifies the user, account, service, or entity the policy applies to.

  2. Step 2: Differentiate from other keys

    "Action" defines allowed actions, "Resource" defines the bucket or objects, "Effect" states Allow or Deny.

  3. Final Answer:

    "Principal" -> Option B

  4. Quick Check:

    Who = Principal [OK]
Hint: Principal means who gets access [OK]
Common Mistakes:
  • Confusing "Action" with "Principal"
  • Using "Effect" to specify user
  • Mixing up "Resource" with user identity
3. Given this bucket policy snippet, what does it allow?
{
  "Effect": "Allow",
  "Principal": "*",
  "Action": "s3:GetObject",
  "Resource": "arn:aws:s3:::example-bucket/*"
}
medium
A. Allows anyone to upload files to the bucket
B. Allows only the bucket owner to delete objects
C. Denies all access to the bucket
D. Allows anyone to read objects from the bucket

Solution

  1. Step 1: Analyze the Effect and Principal

    Effect is "Allow" and Principal is "*" meaning everyone is allowed.

  2. Step 2: Check the Action and Resource

    Action is "s3:GetObject" which means read access to objects in the bucket "example-bucket".

  3. Final Answer:

    Allows anyone to read objects from the bucket -> Option D

  4. Quick Check:

    Allow + * + GetObject = public read [OK]
Hint: Effect Allow + Principal * + GetObject = public read [OK]
Common Mistakes:
  • Thinking GetObject allows uploads
  • Confusing Allow with Deny
  • Ignoring the wildcard * in Principal
4. You wrote this bucket policy but users still cannot upload files:
{
  "Effect": "Allow",
  "Principal": "*",
  "Action": "s3:PutObject",
  "Resource": "arn:aws:s3:::example-bucket"
}

What is the problem?
medium
A. The Resource ARN is missing the /* to specify objects
B. The Action s3:PutObject is invalid
C. The Principal cannot be * for uploads
D. Effect should be Deny to allow uploads

Solution

  1. Step 1: Check the Resource ARN format

    To allow object uploads, Resource must include "/*" to specify objects inside the bucket.

  2. Step 2: Validate Action and Principal

    s3:PutObject is valid, Principal "*" is allowed, and Effect "Allow" is correct.

  3. Final Answer:

    The Resource ARN is missing the /* to specify objects -> Option A

  4. Quick Check:

    PutObject needs resource with /* [OK]
Hint: Resource must end with /* for object actions [OK]
Common Mistakes:
  • Using bucket ARN without /* for object actions
  • Thinking Principal * is disallowed
  • Confusing Allow and Deny effects
5. You want to create a bucket policy that denies all users except a specific AWS account (ID: 123456789012) from deleting objects in your bucket named "secure-bucket". Which policy snippet correctly enforces this?
hard
A. { "Effect": "Deny", "Principal": "*", "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*", "Condition": { "StringNotEquals": { "aws:PrincipalAccount": "123456789012" } } }
B. { "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::123456789012:root"}, "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*" }
C. { "Effect": "Deny", "Principal": {"AWS": "arn:aws:iam::123456789012:root"}, "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*" }
D. { "Effect": "Allow", "Principal": "*", "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*" }

Solution

  1. Step 1: Understand the requirement

    We want to deny delete actions to everyone except the specified account.

  2. Step 2: Analyze each option

    { "Effect": "Deny", "Principal": "*", "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*", "Condition": { "StringNotEquals": { "aws:PrincipalAccount": "123456789012" } } } denies delete to all principals except where the principal account equals 123456789012 using Condition StringNotEquals. This matches the requirement.
    { "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::123456789012:root"}, "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*" } allows only the specified account but does not deny others explicitly.
    { "Effect": "Deny", "Principal": {"AWS": "arn:aws:iam::123456789012:root"}, "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*" } denies only the specified account, opposite of requirement.
    { "Effect": "Allow", "Principal": "*", "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*" } allows everyone, which is incorrect.

  3. Final Answer:

    Option A correctly denies delete to all except the specified account -> Option A

  4. Quick Check:

    Deny with Condition StringNotEquals excludes one account [OK]
Hint: Use Deny with Condition StringNotEquals for exceptions [OK]
Common Mistakes:
  • Using Allow without Deny for blocking others
  • Denying the allowed account by mistake
  • Not specifying Condition for exceptions