A data engineer is troubleshooting an access issue. A user has the IAM policy shown in the exhibit. The user attempts to upload an object to `s3://data-lake-bucket/confidential/report.pdf`. What will happen?
The Deny statement explicitly denies all s3 actions on the confidential prefix, taking precedence over the Allow.
Why this answer
Option B is correct because the explicit Deny overrides the Allow, so the upload will be denied. Option A is incorrect because the user has s3:PutObject allowed for the bucket, but the Deny for the confidential path takes precedence. Option C is incorrect because the policy is valid.
Option D is incorrect because the Deny is explicit.