AWS Certified Solutions Architect – Professional — Question 297

A company has multiple AWS accounts and manages these accounts which AWS Organizations. A developer was given IAM user credentials to access AWS resources. The developer should have read-only access to all Amazon S3 buckets in the account. However, when the developer tries to access the S3 buckets from the console, they receive an access denied error message with no bucket listed.
A solution architect reviews the permissions and finds that the developer's IAM user is listed as having read-only access to all S3 buckets in the account.
Which additional steps should the solutions architect take to troubleshoot the issue? (Choose two.)

Answer options

• A. Check the bucket policies for all S3 buckets.
• B. Check the ACLs for all S3 buckets.
• C. Check the SCPs set at the organizational units (OUs).
• D. Check for the permissions boundaries set for the IAM user.
• E. Check if an appropriate IAM role is attached to the IAM user.

Correct answer: D, E

Explanation

When an IAM user has the correct policy permissions but still faces an access denied error, checking the permissions boundaries is critical because they define the maximum permissions an IAM entity can have. Additionally, verifying if the user needs to assume or has been assigned an appropriate IAM role is a necessary troubleshooting step, as console access might require specific role-based delegation. Other options like bucket-level policies or ACLs typically affect individual bucket access rather than preventing the listing of all buckets globally in the console.