AWS - Identity and Access Management
You want to create an IAM policy that allows a user to read objects from any bucket but only write to a specific bucket named 'logs-bucket'. Which policy statement correctly implements this?
You want to create an IAM policy that allows a user to read objects from any bucket but only write to a specific bucket named 'logs-bucket'. Which policy statement correctly implements this?
hard📝 Best Practice Q8 of 15
Step-by-Step Solution
Solution:
Step 1: Separate read and write permissions
Read (GetObject) should apply to all buckets, write (PutObject) only to 'logs-bucket'.Step 2: Check the resource ARNs and actions in each option
{"Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::*/*"}, {"Effect": "Allow", "Action": ["s3:PutObject"], "Resource": "arn:aws:s3:::logs-bucket/*"} uses separate statements: GetObject on all buckets (arn:aws:s3:::*/*) and PutObject only on logs-bucket.Final Answer:
GetObject on * and PutObject on logs-bucket only -> Option BQuick Check:
Separate actions with correct resource ARNs = {"Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::*/*"}, {"Effect": "Allow", "Action": ["s3:PutObject"], "Resource": "arn:aws:s3:::logs-bucket/*"} [OK]
Quick Trick: Use multiple statements to separate different resource permissions [OK]
Common Mistakes:
- Combining read and write on all buckets
- Reversing resource ARNs for actions
- Using single statement for different resource scopes
Master "Identity and Access Management" in AWS
Want More Practice?
15+ quiz questions · All difficulty levels · Free
Free Signup - Practice All QuestionsMore AWS Quizzes