How would you write an IAM policy statement that denies all actions except 's3:ListBucket' on a specific bucket 'data-bucket'?

hard📝 Best Practice Q9 of 15

AWS - Identity and Access Management

A{"Effect": "Deny", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::data-bucket"}

B{"Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::data-bucket"}

C{"Effect": "Deny", "NotAction": "s3:ListBucket", "Resource": "arn:aws:s3:::data-bucket"}

D{"Effect": "Allow", "NotAction": "s3:ListBucket", "Resource": "arn:aws:s3:::data-bucket"}

Step-by-Step Solution

Solution:

Step 1: Understand the use of "NotAction" with "Deny"
"NotAction" with "Deny" denies all actions except those listed.
Step 2: Confirm the resource and action
{"Effect": "Deny", "NotAction": "s3:ListBucket", "Resource": "arn:aws:s3:::data-bucket"} denies all except "s3:ListBucket" on 'data-bucket', matching the requirement.
Final Answer:
Deny NotAction "s3:ListBucket" -> Option C
Quick Check:
Deny + NotAction = deny all except listed [OK]

Quick Trick: "NotAction" with Deny excludes listed actions from denial [OK]

Common Mistakes:

MISTAKES

Master "Identity and Access Management" in AWS

9 interactive learning modes - each teaches the same concept differently

Want More Practice?

15+ quiz questions · All difficulty levels · Free

More AWS Quizzes