Home › Forums › AWS › AWS Certified Solutions Architect Professional › Practice exam & IAM Bucket Policy
-
Hi there,
In the 4th practice exam I have this question :
You are working as a Solutions Architect for a computer hardware manufacturer which has a supply chain application written in NodeJS. The application is deployed on a Reserved EC2 instance which has been allocated with an IAM Role that provides access to data files stored in an S3 bucket.
In this architecture, which of the following IAM policies control access to your data files in S3? (Choose 2)
Possible answers (obviously wrong):
An IAM trust policy that allows the NodeJS supply chain application running on the EC2 instance to access the data files stored in the S3 bucket.
An IAM trust policy that allows the EC2 instance to assume an S3 role.
Other Possible answers :
1/An IAM access policy that allows the EC2 role to access S3 objects. =Correct
2/An IAM bucket policy that allows the EC2 role to access S3 objects. =Incorrect
3/An IAM trust policy that allows the EC2 instance to assume an EC2 instance role. =Correct
Although I agree for the correct answers, the incorrect one is worrying me.
the explanation is : there is no such thing as an IAM bucket policy as only S3 has this kind of policy.
I know how AWS exam can be tricky sometimes, but term “Bucket Policy” is something you can find in AWS documentation :
https://docs.aws.amazon.com/AmazonS3/latest/dev/using-iam-policies.html
And it was impossible for me to eliminate the 2nd answer.
Anyway If it’s a known trap, I’ll remember that.
Claude.
-
Hello Claude,
Thanks for the feedback.
I understand that the wording of the choices may be confusing (usually aimed for Professional level questions). Specially the option “An IAM bucket policy that allows the EC2 role to access S3 objects.”
But if we looked at all the choices, they are all using the IAM console, not the S3 console, to create policies. This particular option (“An IAM bucket policy that allows the EC2 role to access S3 objects.”) implies that on the IAM console, you create a bucket policy which is impossible because a bucket policy is only done on the S3 web console (or via S3 API SDK) and not on the IAM Console.
The option is incorrect because it implies you use IAM console (or IAM API) to create a bucket policy.
Hope this helps.
Regards,
Kenneth Samonte @ Tutorials Dojo
- This reply was modified 4 years, 5 months ago by TutorialsDojo-Support.
-
Hi Kenneth,
thanks for your answer, it was super usefull.
you are right, I missed that point : a Bucket Policy is not an IAM Policy…
I fell in the trap.
Regards,
Claudio
Log in to reply.