ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
An organization stores compliance reports in an encrypted Amazon S3 bucket. External auditors must have read-only access for the next two weeks. The security team must follow least-privilege principles, avoid creating long-lived IAM users, and ensure that access can be revoked immediately if the engagement ends early. Which approach best meets these requirements?
Add a bucket ACL that grants READ permission to the auditors' corporate email addresses.
Create an IAM role that allows only s3:GetObject on the bucket and let the auditors assume the role using temporary security credentials for the two-week period.
Attach a bucket policy that allows any principal to GetObject when the request originates from the auditors' office IP addresses.
Provision an IAM user for each auditor, attach the AmazonS3ReadOnlyAccess managed policy, and set a 14-day password expiration.
Using an IAM role that auditors can assume with temporary security credentials applies the concept of entitlement by granting the exact resource permissions needed and nothing more. Because the role issues short-lived credentials, it avoids the operational burden and risk of permanent IAM users. The role policy can limit actions to s3:GetObject on the specific bucket and can include an explicit expiration date or be deactivated at any time, allowing immediate revocation.
Granting access through bucket ACLs does not provide easy centralized revocation or granular control. Creating IAM users with expiring passwords still leaves long-lived access keys unless additional steps are taken and contradicts the requirement to avoid persistent identities. A bucket policy that opens access to anyone from specific IP ranges violates least privilege by not tying permissions to a defined principal and is harder to track and revoke quickly.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an IAM role?
Open an interactive chat with Bash
Why are temporary security credentials important?
Open an interactive chat with Bash
What is the difference between a bucket policy and bucket ACL?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Access Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .