You want to allow a user to read objects from a specific S3 bucket but deny access to any objects with the prefix private/. Which policy logic correctly implements this?

hard📝 Application Q8 of 15

AWS - Identity and Access Management

You want to allow a user to read objects from a specific S3 bucket but deny access to any objects with the prefix private/. Which policy logic correctly implements this?

ADeny s3:GetObject on bucket/* and Allow s3:GetObject on bucket/private/*

BAllow s3:GetObject on bucket/private/* and Deny s3:GetObject on bucket/*

CAllow s3:GetObject on bucket/* only

DAllow s3:GetObject on bucket/* and Deny s3:GetObject on bucket/private/*

Step-by-Step Solution

Solution:

Step 1: Define allow and deny scopes
Allow access to all objects, then explicitly deny the private prefix.
Step 2: Apply deny precedence
Explicit Deny on private prefix overrides Allow on all objects.
Final Answer:
Allow all then deny private prefix -> Option D
Quick Check:
Explicit Deny blocks specific prefix [OK]

Quick Trick: Use Allow broad + Deny specific prefix to restrict access [OK]

Common Mistakes:

Denying all then allowing private prefix
Only allowing private prefix
Not using explicit Deny for private prefix

Master "Identity and Access Management" in AWS

9 interactive learning modes - each teaches the same concept differently

Learn Why Deep Visual Try Challenge Project Recall Time

Want More Practice?

15+ quiz questions · All difficulty levels · Free

Free Signup - Practice All Questions

More AWS Quizzes

You want to allow a user to read objects from a specific S3 bucket but deny access to any objects with the prefix private/. Which policy logic correctly implements this?

Step 1: Define allow and deny scopes

Step 2: Apply deny precedence

Final Answer:

Quick Check:

Want More Practice?