AWS Certified SysOps Administrator – Associate (legacy) — Question 389

An IAM user has two conflicting policies as part of two separate groups. One policy allows him to access an S3 bucket, while another policy denies him the access. Can the user access that bucket?

Answer options

• A. Yes, always
• B. No
• C. Yes, provided he accesses with the group which has S3 access
• D. Yes, but just read only access of the bucket

Correct answer: B

Explanation

In AWS IAM, policy evaluation follows the principle of least privilege where an explicit deny always overrides any allow policies. Because one of the group policies explicitly denies access to the S3 bucket, the user's access will be blocked regardless of the other group's allow policy.