Bird
0
0

If an IAM user has a policy that denies 's3:DeleteObject' but allows 's3:*', what will happen when the user tries to delete an object in S3?

medium📝 Predict Output Q5 of 15
AWS - Identity and Access Management
If an IAM user has a policy that denies 's3:DeleteObject' but allows 's3:*', what will happen when the user tries to delete an object in S3?
AThe delete operation fails because explicit deny overrides allow
BThe delete operation succeeds because 's3:*' allows all actions
CThe delete operation succeeds only if the bucket policy allows it
DThe delete operation fails due to missing MFA authentication
Step-by-Step Solution
Solution:

  1. Step 1: Understand IAM policy evaluation logic

    Explicit deny in IAM policies always overrides any allow permissions.

  2. Step 2: Apply to the delete operation

    Since 's3:DeleteObject' is explicitly denied, the delete action will fail despite the broad allow.

  3. Final Answer:

    Delete fails due to explicit deny -> Option A

  4. Quick Check:

    Explicit deny beats allow [OK]
Quick Trick: Explicit deny always overrides allow [OK]
Common Mistakes:
  • Thinking broad allow overrides deny
  • Confusing bucket policy effects with IAM deny

Want More Practice?

15+ quiz questions · All difficulty levels · Free

Free Signup - Practice All Questions
More AWS Quizzes
AWS Account and Billing - Root user vs IAM user - Quiz 4medium AWS Account and Billing - Resource tagging for cost tracking - Quiz 12easy AWS CLI - Basic CLI commands (s3, ec2) - Quiz 11easy EC2 Fundamentals - Instance metadata and user data - Quiz 1easy EC2 Fundamentals - Instance types and families - Quiz 11easy Identity and Access Management - IAM roles concept - Quiz 2easy S3 Fundamentals - Buckets and objects concept - Quiz 5medium Security Groups and Network ACLs - Network ACLs overview - Quiz 1easy Security Groups and Network ACLs - Default security group behavior - Quiz 1easy Security Groups and Network ACLs - Network ACLs overview - Quiz 11easy