Refer to the exhibit. An IAM policy is attached to an IAM user. The user is trying to upload an object to 's3://data-lake-bucket/confidential/report.pdf' using the AWS CLI. The upload fails with an AccessDenied error. What is the reason for the failure?
Explicit Deny always takes precedence over Allow.
Why this answer
Option A is correct because an explicit Deny overrides any Allow. The Deny statement blocks all s3 actions on the confidential prefix, even though the Allow statement grants PutObject. Option B is wrong because the policy allows PutObject on the bucket.
Option C is wrong because the resource is specified correctly. Option D is wrong because the user has permissions on other parts of the bucket.