AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
An AWS account (ID 111111111111) hosts an S3 bucket named corp-finance. The CloudOps engineer must allow only the IAM role AuditorsRole in an external account (ID 222222222222) to list the bucket and read objects. No other principal in that account should gain access. To meet the requirement, the engineer will use a resource-based policy and follow least privilege. Which configuration satisfies these goals?
Create a bucket policy with two statements that grant s3:ListBucket on arn:aws:s3:corp-finance and s3:GetObject on arn:aws:s3:corp-finance/*, setting "Principal": "arn:aws:iam::222222222222:role/AuditorsRole" in each statement.
Attach an inline IAM policy to AuditorsRole that allows s3:GetObject and s3:ListBucket on the corp-finance bucket; no bucket policy changes are needed.
Create a bucket policy that grants s3:* on the bucket and its objects to "Principal": "arn:aws:iam::222222222222:*" and add a Deny statement that blocks access when aws:PrincipalArn is not equal to AuditorsRole.
Create a bucket policy that grants s3:GetObject and s3:ListBucket to "Principal": "arn:aws:iam::222222222222:root".
With cross-account S3 access, the bucket policy (a resource-based policy) must explicitly list the external principal that is allowed. Granting permission directly to the role ARN (arn:aws:iam::222222222222:role/AuditorsRole) limits access to that single role, preventing other principals in that account from using the bucket. Two policy statements are required: one that allows s3:ListBucket on the bucket itself and another that allows s3:GetObject on corp-finance/*; both statements use the specific role ARN as the Principal. Choices that reference the account root or a wildcard Principal open access to every principal in that account. Attaching an identity-based policy to the role alone is insufficient because the bucket, by default, blocks cross-account principals unless the bucket policy also grants access.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a resource-based policy in AWS?
Open an interactive chat with Bash
Why use 'Principal' with an ARN in an S3 bucket policy?
Open an interactive chat with Bash
What does s3:ListBucket and s3:GetObject mean in S3 permissions?
Open an interactive chat with Bash
What is a resource-based policy in AWS, and how does it differ from an identity-based policy?
Open an interactive chat with Bash
Why are two policy statements needed in the bucket policy to meet least privilege?
Open an interactive chat with Bash
How does specifying a role ARN in the Principal key enhance security in bucket policies?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Security and Compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .