Q42 — AWS SCS-C02 Ch.1

Question 42 of 100 | ← Chapter 1

A security engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the security engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee still receives an access denied message. What is the likely cause of this access denial?

Correct Answer: D. The allow permission is being overridden by the deny.

Explanation

Amazon S3桶策略遵循显式拒绝优先原则。当策略中包含多个语句时,任何显式拒绝将覆盖允许权限。题目中初始策略明确拒绝所有用户访问,后续添加的允许特定员工访问的语句若未在条件、主体或资源上精确排除原拒绝范围,会导致拒绝优先生效。AWS文档指出策略生效是即时的,排除时间因素。选项D符合这一逻辑,允许声明未被正确限定导致被拒绝覆盖。选项A涉及ACL,与桶策略无关。选项B的IAM策略未提及限制。选项C的时间延迟与实际策略生效机制不符。