AWS Certified Solutions Architect Associate SAA-C03 Practice Question
An application running on Amazon EC2 instances needs to read log files that are stored only in the S3 bucket named app-logs. No other S3 actions or buckets are required.
Which IAM policy best implements the principle of least privilege for the application's IAM role?
Attach the AWS managed policy AmazonS3ReadOnlyAccess to the role.
Allow s3:*" on the resource arn:aws:s3:::app-logs/*.
Allow the action s3:GetObject on the resource arn:aws:s3:::app-logs/*.
Allow s3:GetObject and s3:PutObject on all S3 buckets in the account.
Granting s3:GetObject on the specific bucket path arn:aws:s3:::app-logs/* limits both the actions and the resource scope to exactly what the application needs, satisfying the least-privilege principle. The other options either grant broader actions (write or list), apply to every bucket in the account, or use a managed policy that provides read access to all buckets, all of which exceed the stated requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are IAM users in AWS?
Open an interactive chat with Bash
Why is the principle of least privilege important for security?
Open an interactive chat with Bash
What are some examples of implementing least privilege in AWS?