AWS Certified Solutions Architect – Professional — Question 879

A bucket owner has allowed another account's IAM users to upload or access objects in his bucket. The IAM user of Account A is trying to access an object created by the IAM user of account B. What will happen in this scenario?

Answer options

• A. It is not possible to give permission to multiple IAM users
• B. AWS S3 will verify proper rights given by the owner of Account A, the bucket owner as well as by the IAM user B to the object
• C. The bucket policy may not be created as S3 will give error due to conflict of Access Rights
• D. It is not possible that the IAM user of one account accesses objects of the other IAM user

Correct answer: B

Explanation

For cross-account S3 object access, AWS S3 evaluates permissions across three boundaries: the requester's IAM policies (Account A), the bucket owner's policies, and the object owner's ACLs or policies (Account B). If any of these three entities does not explicitly allow the access, the request is denied. Other options are incorrect because S3 fully supports multi-tenant cross-account access and bucket policies will not fail to create due to potential logical conflicts of this nature.