The correct answer is that the IAM policy is missing the s3:GetBucketLocation action. The `aws s3 ls s3://my-bucket/` command must first call GetBucketLocation to determine the bucket’s AWS region before it can list objects, even if the user already has s3:ListBucket permission. Without this action, the CLI fails with an AccessDenied error because it cannot resolve the bucket’s endpoint. On the AWS Certified Developer Associate DVA-C02 exam, this is a classic trap: candidates often assume that only s3:ListBucket is needed for listing, but the CLI’s underlying API call sequence requires location discovery first. The exam tests your understanding that S3 operations are region-aware, and many permissions are chained. A useful memory tip: “List needs Location first” — think of it as needing to know where the bucket lives before you can see what’s inside.
DVA-C02 Troubleshooting and Optimization Practice Question
This DVA-C02 practice question tests your understanding of troubleshooting and optimization. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A developer attached the IAM policy above to an IAM user. The user reports being unable to list objects in the bucket 'my-bucket' using the AWS CLI command 'aws s3 ls s3://my-bucket/'. What is the most likely reason?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "most likely"
Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
The IAM policy does not include the s3:GetBucketLocation action.
The `aws s3 ls s3://my-bucket/` command requires the `s3:GetBucketLocation` permission to determine the bucket's region before listing its contents. Without this action, the CLI fails with an error like 'An error occurred (AccessDenied) when calling the GetBucketLocation operation', even if `s3:ListBucket` is granted. Option D correctly identifies this missing permission as the root cause.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
The IAM policy does not allow the s3:GetObject action on the bucket.
Why it's wrong here
GetObject is not needed for listing objects.
✗
The IAM policy resource for s3:ListBucket should include the bucket and objects.
Why it's wrong here
ListBucket only requires the bucket ARN.
✗
The IAM policy is missing the s3:ListAllMyBuckets action.
Why it's wrong here
ListAllMyBuckets is for listing all buckets, not for listing objects in a specific bucket.
✓
The IAM policy does not include the s3:GetBucketLocation action.
Why this is correct
The CLI needs GetBucketLocation to determine the bucket's region.
Clue confirmation
The clue word "most likely" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often focus on the `ListBucket` permission and overlook the prerequisite `GetBucketLocation` call, assuming the CLI only needs the list action for the `ls` command.
Detailed technical explanation
How to think about this question
The AWS CLI's `ls` command for a specific bucket internally calls `GetBucketLocation` first to determine the regional endpoint, then uses `ListObjectsV2` (or `ListObjects`) against that endpoint. If `GetBucketLocation` is denied, the CLI cannot proceed, even if `ListBucket` is allowed. This is a common pitfall when using cross-region buckets or when policies are too restrictive on location-related actions.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Troubleshooting and Optimization — This question tests Troubleshooting and Optimization — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: The IAM policy does not include the s3:GetBucketLocation action. — The `aws s3 ls s3://my-bucket/` command requires the `s3:GetBucketLocation` permission to determine the bucket's region before listing its contents. Without this action, the CLI fails with an error like 'An error occurred (AccessDenied) when calling the GetBucketLocation operation', even if `s3:ListBucket` is granted. Option D correctly identifies this missing permission as the root cause.
What should I do if I get this DVA-C02 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Are there clue words in this question I should notice?
Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This DVA-C02 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the DVA-C02 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.