Q68 — AWS DOP-C02 Ch.2
Question 68 of 100 | ← Chapter 2
A DevOps engineer is developing an application that persists files to Amazon S3. The application must upload files classified under different security categories defined by the company: confidential, private, and public. Files classified as confidential must be viewable only by the uploading user. The application uses users’ IAM roles to call S3 API operations. The DevOps engineer modified the application to add a DataClassification tag with value 'confidential' and an Owner tag containing the uploading user’s ID to each confidential object uploaded to Amazon S3.
- A. Modify the S3 bucket ACL to grant the bucket owner read access to the uploading user’s IAM role. Create an IAM policy that grants s3:GetObject permission on the S3 bucket when aws:ResourceTag/DataClassification equals 'confidential' and s3:ExistingObjectTag/Owner equals ${aws:userid}. Attach the policy to the IAM roles of users who need access to the S3 bucket.
- B. Modify the S3 bucket policy to allow s3:GetObject when aws:ResourceTag/DataClassification equals 'confidential' and s3:ExistingObjectTag/Owner equals ${aws:userid}. Create an IAM policy granting s3:GetObject on the S3 bucket and attach it to the users’ IAM roles. ✓
- C. Modify the S3 bucket policy to allow s3:GetObject when aws:ResourceTag/DataClassification equals 'confidential' and aws:RequestTag/Owner equals ${aws:userid}. Create an IAM policy granting s3:GetObject on the S3 bucket and attach it to the users’ IAM roles.
- D. Modify the S3 bucket ACL to grant authenticated users read access when aws:ResourceTag/DataClassification equals 'confidential' and s3:ExistingObjectTag/Owner equals ${aws:userid}. Create an IAM policy granting s3:GetObject on the S3 bucket and attach it to the users’ IAM roles.
Correct Answer: B. Modify the S3 bucket policy to allow s3:GetObject when aws:ResourceTag/DataClassification equals 'confidential' and s3:ExistingObjectTag/Owner equals ${aws:userid}. Create an IAM policy granting s3:GetObject on the S3 bucket and attach it to the users’ IAM roles.
Explanation
To enforce confidentiality—where only the uploading user may retrieve their own 'confidential' objects—the solution must use S3 bucket policies with condition keys that evaluate object-level tags at request time. The correct condition keys are aws:ResourceTag/DataClassification (to match the object’s DataClassification tag) and s3:ExistingObjectTag/Owner (to match the object’s Owner tag against the requester’s identity). Option B applies these conditions directly in the bucket policy, denying access by default and granting it only when both conditions are satisfied. ACLs (Options A and D) do not support tag-based conditions. aws:RequestTag (Option C) refers to tags provided in the request—not existing object tags—and is irrelevant here.