AWS Certified Security – Specialty (SCS-C02) — Question 292

A company has an application that needs to read objects from an Amazon S3 bucket. The company configures an IAM policy and attaches the policy to an IAM role that the application uses. When the application tries to read objects from the S3 bucket, the application receives AccessDenied errors.

A security engineer must resolve this problem without decreasing the security of the S3 bucket or the application.

Which solution will meet these requirements?

Answer options

• A. Attach a resource policy to the S3 bucket to grant read access to the role.
• B. Launch a new deployment of the application in a different AWS Region. Attach the role to the application.
• C. Review the IAM policy by using AWS Identity and Access Management Access Analyzer to ensure that the policy grants the right permissions. Validate that the application is assuming the role correctly.
• D. Ensure that the S3 Block Public Access feature is disabled on the S3 bucket. Review AWS CloudTrail logs to validate that the application is assuming the role correctly.

Correct answer: C

Explanation

Option C is correct because using AWS Identity and Access Management Access Analyzer helps identify policy misconfigurations securely, and verifying role assumption ensures the application is correctly using the intended credentials. Option D is incorrect because disabling S3 Block Public Access decreases the security of the bucket. Options A and B are incorrect because they do not address the root identity-based policy or role assumption issues.