Q42 — AWS SCS-C02 Ch.1
Question 42 of 100 | ← Chapter 1
A security engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the security engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee still receives an access denied message. What is the likely cause of this access denial?
- A. The ACL in the bucket needs to be updated.
- B. The IAM policy does not allow the user to access the bucket.
- C. It takes a few minutes for a bucket policy to take effect.
- D. The allow permission is being overridden by the deny. ✓
Correct Answer: D. The allow permission is being overridden by the deny.
Explanation
Amazon S3桶策略遵循显式拒绝优先原则。当策略中包含多个语句时,任何显式拒绝将覆盖允许权限。题目中初始策略明确拒绝所有用户访问,后续添加的允许特定员工访问的语句若未在条件、主体或资源上精确排除原拒绝范围,会导致拒绝优先生效。AWS文档指出策略生效是即时的,排除时间因素。选项D符合这一逻辑,允许声明未被正确限定导致被拒绝覆盖。选项A涉及ACL,与桶策略无关。选项B的IAM策略未提及限制。选项C的时间延迟与实际策略生效机制不符。