Q96 — AWS SCS-C02 Ch.1
Question 96 of 100 | ← Chapter 1
A security engineer is configuring account-based access control (ABAC) to allow only specific principals to put objects into an Amazon S3 bucket. The principals already have access to Amazon S3. The security engineer needs to configure a bucket policy that allows principals to put objects into the S3 bucket only if the value of the Team tag on the object matches the value of the Team tag that is associated with the principal. During testing, the security engineer notices that a principal can still put objects into the S3 bucket when the tag values do not match. Which combination of factors are causing the PutObject operation to succeed when the tag values are different? (Choose two.)
- A. The principal's identity-based policy grants access to put objects into the S3 bucket with no conditions. ✓
- B. The principal's identity-based policy overrides the condition because the identity-based policy contains an explicit allow.
- C. The S3 bucket's resource policy does not deny access to put objects. ✓
- D. The S3 bucket's resource policy cannot allow actions to the principal.
- E. The bucket policy does not apply to principals in the same zone of trust.
Correct Answer: A. The principal's identity-based policy grants access to put objects into the S3 bucket with no conditions., C. The S3 bucket's resource policy does not deny access to put objects.
Explanation
AWS策略评估逻辑中,身份策略和资源策略共同作用。身份策略若无条件允许PutObject(选项A),即使资源策略有条件限制,只要资源策略未明确拒绝(选项C),请求仍可能被允许。根据AWS文档,策略结果为允许需所有适用策略均允许。身份策略允许但资源策略未拒绝可能导致权限绕过。选项A和C正确,因身份策略的许可未被资源策略的拒绝覆盖,标签检查条件失效。