AWS Certified SysOps Administrator – Associate (legacy) — Question 409

Which method can be used to prevent an IP address block from accessing public objects in an S3 bucket?

Answer options

• A. Create a bucket policy and apply it to the bucket
• B. Create a NACL and attach it to the VPC of the bucket
• C. Create an ACL and apply it to all objects in the bucket
• D. Modify the IAM policies of any users that would access the bucket

Correct answer: A

Explanation

An S3 bucket policy can be configured with an explicit deny for a specific IP address range, which effectively overrides any public read permissions. Network ACLs (NACLs) cannot restrict access to S3 because S3 is a public service outside of the VPC, and S3 Object ACLs do not support IP-based restrictions. Modifying IAM policies is also ineffective because public access is anonymous and does not rely on IAM user credentials.