Bird
0
0

An IAM policy grants full access to S3 but denies DeleteObject on a specific bucket. Why does this violate least privilege?

medium📝 Debug Q6 of 15
AWS - Identity and Access Management
An IAM policy grants full access to S3 but denies DeleteObject on a specific bucket. Why does this violate least privilege?
ABecause full access is granted, the deny is overridden
BBecause granting full access is too broad even with deny
CBecause deny statements are ignored in IAM policies
DBecause DeleteObject is not a valid S3 action
Step-by-Step Solution
Solution:

  1. Step 1: Understand policy effect

    Full access grants all actions; deny restricts one action on one bucket.

  2. Step 2: Analyze least privilege violation

    Granting full access is too broad; deny does not fix over-permission.

  3. Final Answer:

    Granting full access is too broad even with deny -> Option B

  4. Quick Check:

    Least privilege forbids broad allow with exceptions [OK]
Quick Trick: Avoid broad allow; use specific allows instead [OK]
Common Mistakes:
  • Thinking deny overrides all allow
  • Assuming deny statements are ignored
  • Believing DeleteObject is invalid

Want More Practice?

15+ quiz questions · All difficulty levels · Free

Free Signup - Practice All Questions
More AWS Quizzes
AWS Account and Billing - Root user vs IAM user - Quiz 7medium AWS Account and Billing - Setting up billing alerts - Quiz 7medium Cloud Computing Fundamentals - Edge locations and CloudFront overview - Quiz 9hard EC2 Fundamentals - Instance states (running, stopped, terminated) - Quiz 15hard EC2 Fundamentals - Launching an EC2 instance - Quiz 6medium S3 Fundamentals - Creating S3 buckets - Quiz 4medium S3 Fundamentals - Why S3 matters for object storage - Quiz 9hard VPC Fundamentals - Creating a custom VPC - Quiz 10hard VPC Fundamentals - Why VPC provides network isolation - Quiz 8hard VPC Fundamentals - Creating a custom VPC - Quiz 11easy