AWS Certified Security – Specialty (SCS-C02) — Question 11

A security engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the security engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee sill receives an access denied message.
What is the likely cause of this access denial?

Answer options

• A. The ACL in the bucket needs to be updated.
• B. The IAM policy does not allow the user to access the bucket.
• C. It takes a few minutes for a bucket policy to take effect.
• D. The allow permission is being overridden by the deny.

Correct answer: D

Explanation

The correct answer is D because in AWS IAM policies, explicit deny statements take precedence over allow statements. Even if the policy allows access for the employee, the original deny in the bucket policy remains in effect, preventing access. The other options do not apply since the bucket's ACL is not the issue, the IAM policy is not necessarily preventing access, and bucket policies typically take effect immediately.