AWS Certified Solutions Architect Associate SAA-C03 Practice Question
An application running on Amazon EC2 instances needs to read log files that are stored only in the S3 bucket named app-logs. No other S3 actions or buckets are required.
Which IAM policy best implements the principle of least privilege for the application's IAM role?
Allow s3:GetObject and s3:PutObject on all S3 buckets in the account.
Allow the action s3:GetObject on the resource arn:aws:s3:::app-logs/*.
Allow s3:*" on the resource arn:aws:s3:::app-logs/*.
Attach the AWS managed policy AmazonS3ReadOnlyAccess to the role.
Granting s3:GetObject on the specific bucket path arn:aws:s3:::app-logs/* limits both the actions and the resource scope to exactly what the application needs, satisfying the least-privilege principle. The other options either grant broader actions (write or list), apply to every bucket in the account, or use a managed policy that provides read access to all buckets, all of which exceed the stated requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the principle of least privilege in IAM policies?
Open an interactive chat with Bash
How does `s3:GetObject` differ from other S3 actions like `s3:PutObject`?
Open an interactive chat with Bash
Why is using an AWS managed policy like `AmazonS3ReadOnlyAccess` not ideal here?