AWS Certified Solutions Architect Associate SAA-C03 Practice Question
Your company stores production log files in an Amazon S3 bucket named "prod-logs". A group of developers must be able to read any object in the bucket and upload new objects only to the folder "/tmp/" inside the bucket. They must not delete or overwrite existing log files. Which approach best follows the principle of least privilege while meeting these requirements?
Choose ONE answer.
Add a bucket policy that grants s3:* on arn:aws:s3:::prod-logs/* to Principal "*" so that developers always have full control.
Attach the AmazonS3FullAccess AWS managed policy to the developers group.
Create a customer-managed IAM policy that allows s3:GetObject on arn:aws:s3:prod-logs/* and s3:PutObject on arn:aws:s3:prod-logs/tmp/*, then attach the policy to the developers group.
Attach the AdministratorAccess AWS managed policy to the developers group.
Creating a narrowly scoped customer-managed policy that grants only the specific S3 actions (GetObject on all objects and PutObject on the tmp folder) for the prod-logs bucket adheres to the principle of least privilege. The other options grant far broader permissions than required and increase risk.
References:
AWS Well-Architected Framework, Security Pillar: "Grant only the access that users require to perform specific actions on specific resources."
IAM Best Practices: "AWS managed policies might not grant least-privilege permissions for your specific use cases."
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Principle of Least Privilege in AWS?
Open an interactive chat with Bash
What is the difference between a customer-managed policy and an AWS managed policy?
Open an interactive chat with Bash
What is the purpose of a bucket policy in Amazon S3, and how does it differ from IAM policies?