AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A security engineer is designing permissions for a mission-critical Amazon S3 bucket that resides in the production AWS account (111111111111). The engineer must guarantee that no IAM principals-users or roles-from any other AWS account, including the company's dev account (222222222222), can delete objects from this bucket. The solution must continue to allow valid delete operations that originate from principals in the production account. Which approach meets these requirements MOST effectively?
Enable S3 Block Public Access on the bucket.
Use an S3 access control list (ACL) that grants FULL_CONTROL permission to the bucket owner.
Attach a bucket policy to the S3 bucket that includes an explicit Deny for the actions s3:DeleteObject and s3:DeleteObjectVersion with Principal "*" and a Condition that aws:PrincipalAccount is not equal to "111111111111".
Apply an IAM identity-based policy in the dev account that denies s3:DeleteObject against the production bucket.
A bucket policy is a resource-based policy evaluated in the bucket's account. Option A adds an explicit Deny for the delete APIs when the request comes from any account other than 111111111111, so it blocks every cross-account principal while allowing in-account operations. Identity-based policies in other accounts (Option B) cannot override permissions in the production account. S3 Block Public Access (Option C) affects public (anonymous) access, not authenticated cross-account principals. ACLs (Option D) can only grant permissions; they cannot explicitly deny or scope by account, so they do not meet the requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a resource-based policy?
Open an interactive chat with Bash
How do S3 bucket policies interact with IAM roles and users?
Open an interactive chat with Bash
What are the benefits of using resource-based policies for cross-account access?