AWS - S3 Fundamentals
You want to create a bucket policy that denies all users except a specific AWS account (ID: 123456789012) from deleting objects in your bucket named "secure-bucket". Which policy snippet correctly enforces this?
Which policy snippet correctly enforces this?
hard📝 Application Q15 of 15
Step-by-Step Solution
Solution:
Step 1: Understand the requirement
We want to deny delete actions to everyone except the specified account.Step 2: Analyze each option
{ "Effect": "Deny", "Principal": "*", "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*", "Condition": { "StringNotEquals": { "aws:PrincipalAccount": "123456789012" } } } denies delete to all principals except where the principal account equals 123456789012 using Condition StringNotEquals. This matches the requirement.
{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::123456789012:root"}, "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*" } allows only the specified account but does not deny others explicitly.
{ "Effect": "Deny", "Principal": {"AWS": "arn:aws:iam::123456789012:root"}, "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*" } denies only the specified account, opposite of requirement.
{ "Effect": "Allow", "Principal": "*", "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*" } allows everyone, which is incorrect.Final Answer:
Option A correctly denies delete to all except the specified account -> Option AQuick Check:
Deny with Condition StringNotEquals excludes one account [OK]
Quick Trick: Use Deny with Condition StringNotEquals for exceptions [OK]
Common Mistakes:
- Using Allow without Deny for blocking others
- Denying the allowed account by mistake
- Not specifying Condition for exceptions
Master "S3 Fundamentals" in AWS
Want More Practice?
15+ quiz questions · All difficulty levels · Free
Free Signup - Practice All QuestionsMore AWS Quizzes