AWS Certified Solutions Architect Associate SAA-C03 Practice Question
Your company stores production log files in an Amazon S3 bucket named "prod-logs". A group of developers must be able to read any object in the bucket and upload new objects only to the folder "/tmp/" inside the bucket. They must not delete or overwrite existing log files. Which approach best follows the principle of least privilege while meeting these requirements?
Choose ONE answer.
Attach the AdministratorAccess AWS managed policy to the developers group.
Create a customer-managed IAM policy that allows s3:GetObject on arn:aws:s3:prod-logs/* and s3:PutObject on arn:aws:s3:prod-logs/tmp/*, then attach the policy to the developers group.
Add a bucket policy that grants s3:* on arn:aws:s3:::prod-logs/* to Principal "*" so that developers always have full control.
Attach the AmazonS3FullAccess AWS managed policy to the developers group.
Creating a narrowly scoped customer-managed policy that grants only the specific S3 actions (GetObject on all objects and PutObject on the tmp folder) for the prod-logs bucket adheres to the principle of least privilege. The other options grant far broader permissions than required and increase risk.
References:
AWS Well-Architected Framework, Security Pillar: "Grant only the access that users require to perform specific actions on specific resources."
IAM Best Practices: "AWS managed policies might not grant least-privilege permissions for your specific use cases."
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the principle of least privilege?
Open an interactive chat with Bash
How can I enforce the principle of least privilege in AWS IAM policies?