-
Review Mode 01 – Security Exam – Incorrect Response
updated 3 weeks ago
2 Members
·
4
Posts
-
These question:
A company has two Amazon S3 buckets: dojobucket1 and dojobucket2 that are used to store static contents. The dojobucket2 does not have a bucket policy defined. In the company’s AWS account, there is an IAM User named stacey, with the following IAM policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "TutorialsDojo1", "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::dojobucket2/*", "arn:aws:s3:::dojobucket2", ] } ] }The dojobucket1 has the following bucket policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "BucketDojo1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123450618351:user/stacey" }, "Action": "s3:*", "Resource": [ "arn:aws:s3:::dojobucket1", "arn:aws:s3:::dojobucket1/*" ] } ] }In this scenario, which bucket/s can the user stacey access?
Please, update this question with correct answer.
-
Hi Marcos,
Thank you for posting. Let me explain why the correct answer is that Stacey can access both S3 buckets, based strictly on the scenario provided.
Stacey can access both dojobucket1 and dojobucket2 because she receives valid permission from two different types of AWS policies that work together to determine final access. For dojobucket2, Stacey’s IAM user policy explicitly grants her full S3 access (s3:*) to that bucket and all objects within it by listing both the bucket ARN and the object ARN. Even though dojobucket2 has no bucket policy configured, that does not restrict her because identity-based IAM policies alone are sufficient to grant access unless an explicit Deny exists, which is not the case here. Therefore, her IAM policy alone gives her complete access to dojobucket2.
For dojobucket1, Stacey’s IAM policy does not mention this bucket at all, but S3 bucket policies are resource-based policies that can grant permission directly to a principal. The bucket policy for dojobucket1 explicitly lists Stacey’s IAM user ARN as the allowed principal and gives her full s3:* permissions over both the bucket and its objects. Because AWS evaluates all identity- and resource-based policies together, and because a bucket policy can independently grant access to an IAM user, this bucket policy alone is enough to allow Stacey to fully access dojobucket1. Since there are no explicit Deny statements in any policy affecting either bucket, both Allows remain valid and effective.
In short, Stacey can access dojobucket2 due to her IAM policy and she can access dojobucket1 due to the bucket policy. AWS permission evaluation uses a “logical OR” for Allow statements across identity-based and resource-based policies. As long as at least one applicable policy grants an Allow and no explicit Deny overrides it, the user receives access. Because each bucket has at least one Allow that applies to Stacey, she ends up being able to access both buckets.
Therefore, the correct answer for this scenario is that Stacey can access both dojobucket1 and dojobucket2.
I hope this clears up any confusion you may have. If you have further questions, please don’t hesitate to contact us.
Regards,
Nikee @ Tutorials Dojo
-
Thanks Nikee!
I tested this scenario in my account, and the response is equal you suggested.
-
Happy to help, Marcos!
If you have any further clarification, don’t hesitate to reach out. Happy Learning!
Cheers,
Nikee @ Tutorials Dojo
-
-
Log in to reply.