AWS - Identity and Access Management
You want to create an IAM policy that allows a user to read objects only from a specific S3 bucket named "my-data-bucket" but denies deleting any objects. Which policy statement correctly achieves this?
Which policy statement correctly achieves this?
hard📝 Best Practice Q15 of 15
Step-by-Step Solution
Solution:
Step 1: Identify required permissions
The user needs permission to read objects only, which is "s3:GetObject" on the bucket's objects.Step 2: Check for delete denial
Not including "s3:DeleteObject" means no delete permission is granted. Explicit deny is not required if no allow exists.Step 3: Validate resource ARN
The resource must include "/*" to specify objects inside the bucket, not the bucket itself.Final Answer:
Allow s3:GetObject on objects in my-data-bucket only -> Option AQuick Check:
Allow read only, no delete = { "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::my-data-bucket/*" } [OK]
Quick Trick: Allow only needed actions; omit delete to deny it [OK]
Common Mistakes:
- Allowing delete by mistake
- Using bucket ARN without /* for objects
- Using wildcard s3:* granting too many permissions
Master "Identity and Access Management" in AWS
Want More Practice?
15+ quiz questions · All difficulty levels · Free
Free Signup - Practice All QuestionsMore AWS Quizzes