AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question

A company uses attribute-based access control (ABAC). Each IAM role for developers has a principal tag named 'Team' that identifies their squad (e.g., Blue or Green). All managed Amazon S3 objects are also tagged with the 'Team' key. You need a single IAM permissions policy that allows a role to delete objects only if the object's 'Team' tag matches the role's tag. Which Condition element satisfies this requirement?

"Condition": { "StringEquals": { "aws:ResourceTag/Team": "${aws:PrincipalTag/Team}" } }
"Condition": { "StringEqualsIfExists": { "aws:ResourceTag/Team": "${aws:PrincipalTag/Team}" } }
"Condition": { "StringEquals": { "s3:ExistingObjectTag/Team": "${aws:PrincipalTag/Team}" } }
"Condition": { "StringEquals": { "aws:PrincipalTag/Team": "${s3:ExistingObjectTag/Team}" } }

Report Issue

Answer Description

The policy must compare the 'Team' tag attached to the IAM principal with the 'Team' tag attached to the S3 object on which the 'DeleteObject' request is made. The global condition key aws:ResourceTag/tag-key refers to a tag that exists on the target resource (the S3 object), and the policy variable ${aws:PrincipalTag/Team} expands to the value of the caller's 'Team' tag at runtime. Using the StringEquals operator enforces an exact match; if the tags differ or are absent, the request is denied.

Using s3:ExistingObjectTag is incorrect as this condition key is typically used for actions like s3:ReplicateObject, not for general access control on s3:DeleteObject. Using StringEqualsIfExists would allow the operation when the object lacks the 'Team' tag, creating a security gap. The final option incorrectly reverses the operands and attempts to use a condition key as a policy variable, which is syntactically invalid.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.