A solutions architect is designing an S3 bucket for a IoT ingestion API. The objects must never be publicly accessible, even if a developer later adds an overly broad bucket policy. What should the architect configure?
S3 Block Public Access prevents public ACLs and public bucket policies from exposing the bucket.
Why this answer
Option C is correct because S3 Block Public Access provides a definitive override that prevents any public access to objects regardless of other policies. When enabled at the account or bucket level, it blocks all public access settings, including those from bucket policies, access control lists (ACLs), or object ACLs, ensuring that even if a developer later adds an overly broad bucket policy, the objects remain private. This is the only mechanism that cannot be overridden by a bucket policy, making it the appropriate choice for a strict no-public-access requirement.
Exam trap
The trap here is that candidates often choose an IAM policy (Option B) thinking it can block public access, but they miss that bucket policies can grant permissions to anonymous users independently of IAM, making S3 Block Public Access the only guaranteed safeguard.
How to eliminate wrong answers
Option A is wrong because S3 Transfer Acceleration is a feature that speeds up uploads over long distances using AWS edge locations and has no effect on access control or public accessibility. Option B is wrong because an IAM policy that denies s3:GetObject to anonymous users only applies to IAM principals; it does not block access granted by a bucket policy that explicitly allows public access, as bucket policies can grant permissions to anonymous principals (e.g., `"Principal": "*"`) independently of IAM. Option D is wrong because server access logging records requests made to the bucket for auditing purposes but does not enforce any access restrictions or prevent public access.