You want to create an IAM group that grants read-only access to objects in the S3 bucket named project-files. Which policy snippet correctly enforces this?
hard📝 Best Practice Q8 of 15
AWS - Identity and Access Management
You want to create an IAM group that grants read-only access to objects in the S3 bucket named project-files. Which policy snippet correctly enforces this?
Read-only access to objects requires s3:GetObject on bucket objects.
Step 2: Analyze options
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::project-files/*"
}]
} allows s3:GetObject on all objects in the bucket, which is correct.
Step 3: Exclude incorrect options
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": "arn:aws:s3:::project-files"
}]
} only allows listing the bucket, not reading objects. {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": ["s3:DeleteObject"],
"Resource": "arn:aws:s3:::project-files/*"
}]
} denies delete but does not allow read. {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": "arn:aws:s3:::project-files/*"
}]
} allows all actions, which is too permissive.
Final Answer:
Option A -> Option A
Quick Check:
Use s3:GetObject on bucket objects for read-only [OK]
Quick Trick:Use s3:GetObject on bucket ARN with /* suffix [OK]
Common Mistakes:
Granting s3:ListBucket only without GetObject
Using Deny instead of Allow for read access
Granting full s3:* permissions unnecessarily
Master "Identity and Access Management" in AWS
9 interactive learning modes - each teaches the same concept differently
