AWS Certified Security – Specialty — Question 117

A Security Engineer creates an Amazon S3 bucket policy that denies access to all users. A few days later, the Security Engineer adds an additional statement to the bucket policy to allow read-only access to one other employee. Even after updating the policy, the employee still receives an access denied message.
What is the likely cause of this access denial?

Answer options

• A. The ACL in the bucket needs to be updated
• B. The IAM policy does not allow the user to access the bucket
• C. It takes a few minutes for a bucket policy to take effect
• D. The allow permission is being overridden by the deny

Correct answer: D

Explanation

The correct answer is D because in AWS policies, a deny statement always takes precedence over allow statements. Even if read-only access is granted to the employee, the initial deny in the bucket policy prevents any access. Options A and B could be potential issues, but they do not directly explain the immediate denial. Option C is incorrect as policy updates are typically effective immediately.